×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
erkin
Engager
Member since: ‎03-18-2024
‎03-20-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-18-2024
Activity Feed
View All

Dedup within span

by in Splunk Search
‎03-20-2024 07:54 AM
‎03-20-2024 07:54 AM
Hi! I have an issue with a query and the dedup command.    | eval service=case( (method="GET" AND match(uri, "/v1/[a-zA-Z]{2}/customers\?.*searchString=[^&]+.*")), "FindCustomer", (method="GET" AND match(uri, "/v2/[A-Za-z]{2}/private-customers(/[a-zA-Z0-9-]+)?(?!/)")), "ReadCustomer") | stats count by service   Unfortunately I have been noticing that my events matching to "ReadCustomer" are logged twice. Therefore I get two events right after each other with a couple of seconds in between, which is polluting my results. I need to somehow duplicate events, which have the same uri and happen within 10s of each other. I was thinking to use    |dedup uri    but realized that I want to allow the same uri, if it is more than 10 seconds between the events. If dedup could take a span, that would be the optimal way for me. Does anyone have a good idea on how to solve this? I was also thinking about | transaction  as well but I'm not sure if I can use it... ... View more
Labels

Re: Legends in bar chart

by in Dashboards & Visualizations
‎03-18-2024 02:59 AM
‎03-18-2024 02:59 AM
Yes! Exactly what I need, thank you. Now the only issue I'm having is that I'm no longer available to sort the bar chart in descending order. Earlier I used to do | sort -count, but that doesn't seem to work using static ... View more

Legends in bar chart

by in Dashboards & Visualizations
‎03-18-2024 02:26 AM
‎03-18-2024 02:26 AM
Hi, Im a novice to Splunk and i have a question regarding visualization. I have my query like this:     |...myBaseQuery | chart c as "Count" by category     This results in me only having one legend in my visualization, "Count". I was wondering if there's any way to get the all the values as a legend on the right (see image) ? I realized this is possible when i also use the retailUnit in the chart command:     |...myBaseQuery | chart c as "Count" by retailUnit category     Then I get one label for each category (see image), but i want to achieve this without sorting on retailUnit. Is this possible? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-20-2024 11:42 AM
Karma given to
View All