Activity Feed
- Posted Re: Sum categories from a main search. on Splunk Search. 06-04-2024 09:43 AM
- Got Karma for Re: CSV file different format when downloaded from report generated.. 06-02-2024 01:18 PM
- Posted Sum categories from a main search. on Splunk Search. 05-31-2024 01:35 PM
- Posted Re: CSV file different format when downloaded from report generated. on Other Usage. 05-30-2024 11:33 AM
- Posted Re: CSV file different format when downloaded from report generated. on Other Usage. 04-15-2024 02:11 PM
- Posted Re: CSV file different format when downloaded from report generated. on Other Usage. 04-08-2024 11:04 AM
- Karma Re: CSV file different format when downloaded from report generated. for tscroggins. 04-08-2024 11:02 AM
- Posted CSV file different format when downloaded from report generated. on Other Usage. 04-05-2024 08:23 AM
- Karma Re: How can I search events based on another lookup file subsearch using like. for richgalloway. 02-01-2024 06:26 AM
- Posted Re: How can I search events based on another lookup file subsearch using like. on Splunk Search. 01-30-2024 01:13 PM
- Posted How can I search events based on another lookup file subsearch using like. on Splunk Search. 01-30-2024 05:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-04-2024
09:43 AM
Hi @dtburrows3, Thanks so much it helped me a lot your suggestions, for now I will go with eventstats solutions. For foreach command I need to go deep on it since it is more complex. @PickleRick I will try xyseries, same as I did before to have the expected single values for the productcat# fields. Need to push this report to Production ASAP.
... View more
05-31-2024
01:35 PM
Hi Cummunity team, I have a complex query to gather the data below, but a new request came up, it was asked to me to add in the report email subject the product category totals by Category. with the $result.productcat1$ and $result.productcat2$ I could apprach that, but the way I'm calculating the totals I'm not getting the expected numbers, because I'm appeding the columns from a subquery and transposing the values with xyseries. Could you please suggest how can I sum(Sales Total) by productcat1 and productcat2 in a new field but keeping the same output as I have now?, e.g.: something like if ProducCategory="productcat1"; then productcat1=productcat1+SalesTotal, else productcat2=productcat2+SalesTotal ``` But Print the original output ``` Consider productcat1 and productcat2 are fixed values. ENV ProducCategory ProductName SalesCondition SalesTotal productcat1 productcat2 prod productcat1 productR blabla 9 152 160 prod productcat1 productj blabla 8 prod productcat1 productc blabla 33 prod productcat2 productx blabla 77 prod productcat2 productpp blabla 89 prod productcat2 productRr blabla 11 prod productcat1 productRs blabla 6 prod productcat1 productRd blabla 43 prod productcat1 productRq blabla 55 Thanks in advance.
... View more
Labels
- Labels:
-
stats
05-30-2024
11:33 AM
1 Karma
Hi @tscroggins, Thanks for all your comments, I'm running with 8.2v and the 1st suggestion you made worked, but we didn't see the changes until the restart of the Search heads were made. Now the CSV files are comming with the right format. One thing I noticed, If I clone an existing report with CSV format configuration, the new one will adopt that configuration too. Thanks
... View more
04-15-2024
02:11 PM
@tscroggins, Is the suggested configuration restricted to certain Splunk Versions?, because we have tried different options but we are not seeing the CSV formated as expected also the instances were restarted. Thanks in advance, we have ran the reports simple as possible. e.g.: "index=os earliest=-5m |timechart span=1m values(host)" Regards
... View more
04-08-2024
11:04 AM
Hi @tscroggins Really appreciate your comments, I'm currently working with the changes You've suggested. Thanks and Regards,
... View more
04-05-2024
08:23 AM
Hi Everyone, For some reason I'm getting different CSV format file when I downloaded vs from the report generated on scheduled report functionality. - When I downloaded the file from the splunk search option I am getting some like: {"timestamp: 2024-04-02T22:42:19.655Z sequence: 735 blablaclasname: com.rr.jj.eee.rrr anotherblablaclasnameName: com.rr.rr.rrrr.rrr level: ERRROR exceptionMessage: blablabc .... } - When I received by email the file using the same query I'm getting something like: {"timestamp: 2024-04-02T22:42:19.655Z\nsequence: 735\nblablaclasname: com.rr.jj.eee.rrr\nanotherblablaclasnameName: com.rr.rr.rrrr.rrr\nlevel: ERRROR\n\nexceptionMessage: blablabc\n....} *.conf file I am seeing: LINE_BREAKER = \}(\,?[\r\n]+)\{? Regards
... View more
Labels
- Labels:
-
CSV
01-30-2024
01:13 PM
Hi @richgalloway Your sugestion to use return helped me to make the query works. I have made to make some adjustments too : ..main search |where like(onerowevent, [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>| eval onecompare="\"%".onecompare."%\""|return $onecompare] The only thing is, when I'm using ' |return $onecompare ', I'm missing one row from the output, even if I test the subsearch separately. I will figure out what is making ' return ' clause skip the row. Regards,
... View more
01-30-2024
05:35 AM
Hi, Would you mind to help on this?, I have been working for days to figure out how can I pass a lookup file subsearch as "like" condition in main search, something like: To examples: 1)
. . main search| where like(onerowevent, "%".[search [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>|table onecompare }]."%"]])
2)
. . main search| eval onerowevent=if(like(onerowevent,, "%".[search [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>|table onecompare }]."%"]])),onerowevent,"")
... View more
