Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jrs42
jrs42
Path Finder
Member since:
03-15-2024
06-14-2024
Community Statistics
| Posts | 13 |
| Solutions | 1 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 03-15-2024 |
Activity Feed
- Karma Re: Column chart with two fields sharing one "bucket" for ITWhisperer. 06-14-2024 04:48 PM
- Karma Re: How can I make Dashboard Studio drilldown highlight be the entire row? for tej57. 06-14-2024 03:07 PM
- Posted Column chart with two fields sharing one "bucket" on Splunk Search. 06-13-2024 12:08 PM
- Posted Re: Is it possible to get the count of events matching a p99 value? on Dashboards & Visualizations. 06-07-2024 08:22 AM
- Karma Re: Is it possible to get the count of events matching a p99 value? for bowesmana. 06-07-2024 08:22 AM
- Karma Re: Is it possible to get the count of events matching a p99 value? for bowesmana. 06-07-2024 08:22 AM
- Posted Re: Is it possible to get the count of events matching a p99 value? on Dashboards & Visualizations. 06-06-2024 09:44 PM
- Posted Re: Is it possible to get the count of events matching a p99 value? on Dashboards & Visualizations. 06-06-2024 06:30 PM
- Posted Is it possible to get the count of events matching a p99 value? on Dashboards & Visualizations. 06-06-2024 11:25 AM
- Posted How can I make Dashboard Studio drilldown highlight be the entire row? on Dashboards & Visualizations. 06-06-2024 11:22 AM
- Posted Re: Renaming or ordering values used in a stats by query on Splunk Search. 05-17-2024 02:57 PM
- Karma Re: Renaming or ordering values used in a stats by query for ITWhisperer. 05-17-2024 02:56 PM
- Posted Re: Renaming or ordering values used in a stats by query on Splunk Search. 05-17-2024 02:53 PM
- Posted Renaming or ordering values used in a stats by query on Splunk Search. 05-17-2024 12:06 PM
- Posted Re: Timechart with moving count on Splunk Search. 03-18-2024 02:55 PM
- Posted Timechart with moving count on Splunk Search. 03-18-2024 01:37 PM
- Posted Re: Multiselect default to all? on Dashboards & Visualizations. 03-15-2024 02:11 PM
- Posted Multiselect default to all? on Dashboards & Visualizations. 03-15-2024 12:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-13-2024
12:08 PM
I have data with two fields that share a static range of 10 values. I'd like to show a column chart with the buckets on the X axis and two bars in each bucket, one for field A, the other for field B. This doesn't work: index=foo message="bar"
| stats count as "Field A" by A
| append
[ search index=foo message="bar"
| stats count as "Field B" by B
] I'm sure I'm missing something obvious ... To reiterate, fields A and B are present in all events returned and share the same "buckets". Call them strings like "Group 1", "Group 2", etc. So A="Group 3" and B="Group 6" could be in the same event and in the chart I should have a count added for Groups 3 for the Field A column and Group 6 for the Field B column. Thanks!
... View more
Labels
- Labels:
-
stats
06-07-2024
08:22 AM
I just realized I was way, way overthinking this. BY DEFINITION, a p99 value is one that 99% of the events are at or below, thus leaving ONE PERCENT of the total number of events higher. All I need is: index=foo message="magic string"
| stats count as total
| eval over_p99=round(total / 100, 0)
| fields - total which is fast. If I wanted # over p95, just use round(total / 100 * 5, 0) etc. I will be keeping your approach in mind, however, as that's still really good to know. Ty!
... View more
06-06-2024
09:44 PM
While that solution does work it's equally slow as the one I posted. Thank you, but I'm still hoping there's a better/faster way 🙂
... View more
06-06-2024
06:30 PM
I have something that I think works, but I don't know how (in)efficient it is: index=foo message="magic string"
| eventstats p99(duration) as p99val
| where duration > p99val
| stats count as "# of Events with Duration > p99" It seems to take a long time to complete as soon as I add in the "| stats count" bit. Simply getting events seems pretty quick. Is this a good approach and/or how can I improve it?
... View more
06-06-2024
11:25 AM
I've been asked to show how many events are over the p99 (for example) value for a search. I'm hopefully just missing something obvious, but I've not figured out how, or if, this is possible. Thx
... View more
06-06-2024
11:22 AM
In a Classic dashboard, I can add <option name="drilldown">row</option> and it highlights the entire row. My drilldown is not cell-specific, so this is what I want in my Dashboard Studio dashboard. I've tried: "viz_Yy6FIxmM": {
"type": "splunk.table",
"options": {
"tableFormat": {
"align": "> table |pick(alignment)"
},
"drilldown": "row",
... with no change. Thx!
... View more
Labels
- Labels:
-
Dashboard Studio
-
drilldown
05-17-2024
02:57 PM
Extra credit: Is there a way to force all 5 buckets to always appear in the results, even if they have a 0 count?
... View more
05-17-2024
02:53 PM
Thank you! I was so close lol. I hacked it by prepending " " and " " to a couple of bucket names to force them to sort ahead, but that made me cringe. This is far better. Thanks again!
... View more
05-17-2024
12:06 PM
Here's a part of my query, ignoring where the data is coming from: | eval bucket=case(dur < 30, "Less than 30sec", dur <= 60, "30sec - 60sec", dur <= 120, "1min - 2min", dur <= 240, "2min - 4min", dur > 240, "More than 4min")
| eval sort_field=case(bucket="Less than 30sec", 1, bucket="30sec - 60sec", 2, bucket="1min - 2min", 3, bucket="2min - 4min", 4, bucket="More than 4min", 5)
| sort sort_field
| stats count as "Number of Queries" by bucket The problem I have is that the results are ordered alphabetically by the name of each bucket. I'd prefer to have the order always be from quickest to slowest: <30s, 30-60s, 1-2m, 2-4m, >4m What I get: 1min - 2min | <value>
2min - 4min | <value>
30sec - 60sec | <value>
Less than 30sec | <value>
More than 4min | <value> What I want: Less than 30sec | <value>
30sec - 60sec | <value>
1min - 2min | <value>
2min - 4min | <value>
More than 4min | <value> I've tried a number of different approaches, none seeming to do anything. Is this possible?
... View more
Labels
- Labels:
-
stats
03-18-2024
02:55 PM
Unfortunately, that's not it. Let me try to clarify 🙂 Right now, I get results with one value per day so if I pick "last 7 days" I only see 7 data points which is much too coarse. I'd prefer to have the normal "100 bins" or points of data, with each one the count of events for the preceding 24h from when that data point/bin is in time. The end result would be a much smoother chart, basically showing the count value my alert is checking. It's looking to me that as soon as I pick "last 7 days", I'm in the realm of days and I cannot plot with more granularity.
... View more
03-18-2024
01:37 PM
I'm trying to (efficiently) create a chart that collects a count of events, showing the count as a value spanning the previous 24h, over time. i.e. every bin shows the count for the previous 24h. This is intended to show the evaluations an alert is making every x minutes where it triggers if the count is greater than some threshold value. I'm adding that threshold to the chart as a static line so we should be able to see the points at which the alert could have triggered. I have the following right now, but it's only showing one data point per day when I would prefer the normal 100 bins ...
| timechart span=1d count
| eval threshold=1000 Hope that's not too poorly worded 🙂
... View more
Labels
- Labels:
-
timechart
03-15-2024
02:11 PM
Edit: I'm working through this, still. Obviously, I changed what I'm working on to post here so I didn't share anything inappropriate, so I may be running into translation issues :). Got it working as desired. I changed the query to perform an IN instead of a collection of ORs, like so: <prefix>server_used IN (</prefix>
<suffix>)</suffix>
<delimiter>, </delimiter> but otherwise it's pretty much what you posted. TY!
... View more
03-15-2024
12:08 PM
I'm trying to create what is effectively a "server" dropdown in a dashboard, where I want to allow people to filter on one or more servers from a lookup. By default, I want the visualization to show for all servers. I have the lookup pulling values, but I'm stuck trying to figure out how to make it so that they don't have to unselect a default "*" value. Ideally, the input is empty by default (or it can show some value like "*" or "all") but once they start selecting individual servers that "all" option is removed. Conversely, if they remove all servers from the filter, it should once again act like "*". Here's a stripped-down version of what I'm trying to do: <form version="1.1" theme="dark">
<label>My dashboard</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-5m</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="server" searchWhenChanged="true">
<label>server</label>
<search>
<query>| inputlookup server_lookup.csv</query>
</search>
<fieldForLabel>server</fieldForLabel>
<fieldForValue>server</fieldForValue>
<delimiter>, </delimiter>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Some panel</title>
<chart>
<search>
<query>index=* server_used IN ($server$)
| stats median(some_value)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">radialGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.rangeValues">[0,10,30,100]</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
Dashboard Studio
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-14-2024
10:21 PM
|
