Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About tdavison76
tdavison76
Path Finder
Member since:
05-09-2024
05-20-2025
Community Statistics
| Posts | 38 |
| Solutions | 1 |
| Karma Given | 11 |
| Karma Received | 2 |
| Member Since | 05-09-2024 |
Activity Feed
- Posted Dedup is extremely Slow on Splunk Search. 05-20-2025 06:27 AM
- Posted Re: Not seeing anything returned when using Sum with an eval IF statement on Splunk Search. 02-18-2025 05:37 AM
- Posted Re: Not seeing anything returned when using Sum with an eval IF statement on Splunk Search. 02-17-2025 02:10 PM
- Got Karma for Re: Not seeing anything returned when using Sum with an eval IF statement. 02-17-2025 02:10 PM
- Posted Re: Not seeing anything returned when using Sum with an eval IF statement on Splunk Search. 02-17-2025 01:54 PM
- Karma Re: Not seeing anything returned when using Sum with an eval IF statement for livehybrid. 02-17-2025 01:53 PM
- Karma Re: Not seeing anything returned when using Sum with an eval IF statement for livehybrid. 02-17-2025 01:53 PM
- Posted Not seeing anything returned when using Sum with an eval IF statement on Splunk Search. 02-17-2025 01:07 PM
- Posted Re: How to show only events that are not Closed on Splunk Search. 02-17-2025 09:25 AM
- Karma Re: How to show only events that are not Closed for livehybrid. 02-17-2025 09:24 AM
- Posted Re: How to show only events that are not Closed on Splunk Search. 02-17-2025 08:20 AM
- Posted Re: How to show only events that are not Closed on Splunk Search. 02-17-2025 06:55 AM
- Posted Re: How to show only events that are not Closed on Splunk Search. 02-17-2025 06:38 AM
- Posted Re: How to show only events that are not Closed on Splunk Search. 02-17-2025 06:08 AM
- Posted Re: How to show only events that are not Closed on Splunk Search. 02-17-2025 05:49 AM
- Posted How to show only events that are not Closed on Splunk Search. 02-17-2025 05:06 AM
- Posted Transaction Rule Naming question on Splunk AppDynamics. 01-07-2025 12:12 PM
- Posted Re: Need help on Regex for a field on Splunk Search. 12-19-2024 05:04 AM
- Karma Re: Need help on Regex for a field for yuanliu. 12-19-2024 05:03 AM
- Posted Re: Need help on Regex for a field on Splunk Search. 12-18-2024 08:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-20-2025
06:27 AM
Hello, I have a Search that is taking 5 min to complete when looking at only the last 24 hrs. If possible, could someone help me figure out how I can improve this Search? I am in need of deduping by SessionId and combing 3 fields into a single field. source="mobilepro-test"
| dedup Session.SessionId
| strcat UserInfo.UserId " " Location.Site " " Session.StartTime label
| table Session.SessionId, label It looks like it's the dedup that is causing the slowness, but I have no idea how to improve that. Thanks for any help on this one, Tom
... View more
02-18-2025
05:37 AM
The COALESCE did the trick. You are awesome. Thanks for all of the help. I can finally get a good nights rest. 🙂 Thanks, Tom
... View more
02-17-2025
02:10 PM
So sorry, I tested in a time frame with a Create event. I thought it was working. If I chose a time frame with no events, I still get an empty "Sum" field. I've removed the Double Qoutes: (| eval comparison=IF(isCreate>isClose,1, 0)) Also, changed the Stats count(Create) and count(Close) back to "sum". I did this during testing, thanks for catching. Thanks again for the help. Tom
... View more
02-17-2025
01:54 PM
1 Karma
You came thru again, twice in one day!!. Simply awesome, thank you for your help on all of this. It's working like a charm now. Have a good week. Thanks, Tom
... View more
02-17-2025
01:07 PM
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Close" event. I'm doing this by using an eval IF statement The issue I am having is when using "Sum", I get no results for Sum when there are not any events. But, if I use "Count", I always get "1" returned. Here's the Search I am using index="healthcheck" integrationName="Opsgenie Edge Connector - Splunk", "alert.message"="[ThousandEyes] Alert for TMS Core Healthcheck", action IN ("Create","Close")
| eval Create=IF(action=="Create",1,0)
| eval Close=IF(action=="Close",1,0)
| stats count(Create) as isCreate, count(Close) as isClose by alert.id
| eval comparison=IF(isCreate>isClose,"1", "0")
| stats sum("comparison") as Sum count("comparison") as Count
| eval Application = "TMS_API"
| eval test = Sum
| eval test1 = Count
| eval test2 = Application
| eval "Monitor Details" = "Performs a Health Check "
| table test, test1, test2 , "Monitor Details" In the returned results, I get an empty "test" field and a "1" in test1 field. Thanks again for your help, and please let me know if more details are needed, this has been a huge headache for me. Thanks, Tom
... View more
Labels
- Labels:
-
fields
-
stats
-
table
-
transaction
02-17-2025
09:25 AM
Thanks, I figured it out with your help. Very much appreciated, and I hope you have a great day.
... View more
02-17-2025
08:20 AM
Hello, That is awesome, by removing: table alert.message, And adding the "by alert.id". only the events that are created with no close appear as expected. Thank you for that. The last piece of the puzzle is how can I create a table that contains other fields that aren't in the "stats" command? If I add a field from the source, nothing is returned. Here's the full working "Search" you helped me with, it includes the field entity.source, where nothing is returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close")
| eval Create=IF(action=="Create",1,0)
| eval Close=IF(action=="Close",1,0)
| stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose by alert.id, alert.message
| where isClose=0
| table entity.source, alert.id, alert.message I wish I could give you 20 kudos. Thanks again, Tom
... View more
02-17-2025
06:55 AM
Hello, Sorry, I found out the "Create" and "Close" is in the "action" field. I ran the following Search and it for some reason I get 0 results in the table, and all Create and Close events are returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close")
| eval Create=IF(action=="Create",1,0)
| eval Close=IF(action=="Close",1,0)
| stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose
| where isClose=0
| table alert.message Sorry for the confusion, and thank you very much for the help. 🙂 Thanks, Tom
... View more
02-17-2025
06:38 AM
Thanks again Rich, Changing it to "search" got me past the error. 🙂 Sorry, I didn't give all the details, I found out the "Create" "Close" is in the "action" field. So an example event is: {"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "dc4c0970-e1fa-492a-999b-10979478d980", "action": "Create", "productSource": "Opsgenie", "customerDomain": "siteone", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "Meraki", "type": "Zapier"}, "type": "oec", "receivedAt": 1739802456801, "params": {"type": "oec", "alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Create", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "siteone", "alertDetails": {}, "alertAlias": "STORE_674_BOXONE_MX_674", "receivedAt": 1739802456801, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "Meraki", "type": "Zapier"}, "alert": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}, "entity": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "alertAlias": "STORE_674_BOXONE_MX_674", "alertDetails": {}, "entity": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}} When I run the following Search, it gives me every event that has an action of "Create", but I need it to return only the "Create" that doesn't have a corresponding "Close". The alert.id would be unique with each Create and Close event. index=healthcheck ("Create","Close") integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*"
| dedup alert.id, action
| search NOT "Close"
| table alert.message Really appreciate the help, going crazy trying to figure this one out 🙂 Thanks, Tom
... View more
02-17-2025
06:08 AM
Thank you very much for your help, I gave it a shot with the: eval {alert.message}=1 But, didn't get any results back, I then tried with the: | eval Create=IF(alert.message=="Create",1,0) Close=IF(alert.message=="Close",1,0) | stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose | where isClose=0 and got back a: Error in 'EvalCommand': The expression is malformed. I really suck at this 😞 Thank you for the help, Tom
... View more
02-17-2025
05:49 AM
Thank you so much for the details, I gave it a shot, but it produced the following error: Error in 'where' command: Type checking failed. 'XOR' only takes boolean arguments. Here's the full search I am doing: index=healthcheck ("Create" OR "Close") integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*"
| dedup alert.id alert.message
| where NOT "Close"
| table alert.message Any ideas what I am doing wrong? 🙂 Thanks again, Tom
... View more
02-17-2025
05:06 AM
Hello, I really appreciate any help on this one, I can't figure it out. I am using the following to show only the "Create" events that don't have a corresponding "Close" event. | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true
| where closed_txn=0 This works, but, the search is running for "All Time", and we only keep events up to 1 yr. I've ran into the issue of once one of the "Create" events reach that 1 yr and is deleted. The "Close" event will make it appear in the Search results. I'm not sure why a "Close" event without a corresponding "Create" event would be counted, or how I can prevent if a single "Create" or "Close" event from being returned once one of the events have been deleted or is beyond the Search time frame selected. Any ideas on this one? 🙂 Thanks for any help, you will save me some sleepless nights. Tom
... View more
Labels
- Labels:
-
eval
-
fields
-
stats
-
table
-
transaction
01-07-2025
12:12 PM
Hello, I have a .NET Transaction Rule named: "/ws/rest/api" The matching Rule is a Regex: /ws/rest/api/V[0-9].[0-9]/pthru A couple of examples of the the URLs that would match this rule are: /ws/rest/api/V3.0/pthru/workingorders /ws/rest/api/V4.0/pthru/cart /ws/rest/api/V4.0/pthru/cart/items I am splitting the Rule by URI segments, 4, 5, 6. but the resulting name is: /ws/rest/api.V4.0pthruCart Is there a way to add "/" between each segment, or is there a better way to do this that give us a better looking Transaction Name? Thanks for your help, Tom
... View more
Labels
- Labels:
-
Controller
-
Licensing
-
User Management
12-19-2024
05:04 AM
Hello, Thank you very much for all of the details, that did the trick and I can finally move on to the next task. Thanks again, Tom
... View more
12-18-2024
08:52 AM
Awesome, thank you very much, that did the trick. I screwed up a little, after I tested it, I realized that I was wrong, the originating field can be like one of the following: alert.alias = STORE_8102_BOXONE_MX_8102 alert.alias = STORE_8102_BOXONE_MX_8102_01 Is there a regex for the second field that would just capture everything after that third "_"? Thanks again, really appreciate the help, Tom
... View more
12-18-2024
08:27 AM
Hello, I am just trying to do a regex to split a single field into two new fields. The original field is: alert.alias = STORE_176_RSO_AP_176_10 I need to split this out to 2 new fields. First field = STORE_176_RSO Second field = AP_176_10 I am horrific at regex and am not sure how I can pull this off. Any help would be awesome. 🙂 Thank you for your help, Tom
... View more
12-02-2024
11:55 AM
Sorry about that, I didn't think it would matter. Looks like it does. I've created a Support ticket for this as well. Hopefully, they'll get back to me. If they do, I'll let you know the solution with Studio. 🙂 Thanks again, Tom
... View more
12-02-2024
08:45 AM
Thanks, I tried the steps, but same thing occurred. I then quickly set up a Classic Dashboard instead of a Dashboard Studio, and it works. Looks like either an issue with Studio, of maybe it's just done differently. 🙂 Thanks again, Tom
... View more
12-02-2024
08:16 AM
Hey guys, Thanks for the quick help, still stuck for some reason. So I've tried $row.host$ and $result.host$ but they both result in just passing $xxx.host$ for some reason. Here's the config: Here's the resulting search: Here's the table query: index="netscaler" host=* | rex field="servicegroupname" "\?(?<Name>[^\?]+)" | rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)" | rename "state" AS LastStatus | eval Component = host."|".servicegroupname | search Name=* | eval c_time=strftime(Time,"%m/%d/%Y %H:%M:%S") | streamstats window=1 current=f global=f values(LastStatus) as Status by Component | where LastStatus!=Status | rename _time as "Date" | eval Date=strftime(Date, "%m/%d/%Y %H:%M:%S") | table Date, host, ServiceGroup, Name, Status, LastStatus And, here's a screenshot of the table if helpful. 🙂 Thanks again for the help on this one, very much appreciated. Tom
... View more
12-02-2024
07:18 AM
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results. Here's an event that has the alert.message field of "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com" included. {"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "46f22bab-2964-4294-885e-2a7bd12ddd19", "action": "Close", "productSource": "Opsgenie", "customerDomain": "domain", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "", "type": "ThousandEyes"}, "type": "oec", "receivedAt": 1720795936606, "params": {"type": "oec", "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Close", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "domain", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "receivedAt": 1720795936606, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "", "type": "ThousandEyes"}, "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}} Here's the actual Search I am running: Just let me know if more details are needed, and thanks again. Tom
... View more
12-02-2024
06:50 AM
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field. I am needing to be able to click on any of the returned hosts and drill into all of the events for that host. I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query: source="udp:514" host="$host$.doman.com" but, of course failed, it just get's replaced with "*". I'm sure I'm probably way off on how to do this, but any help would be awesome. 🙂 Thanks in advance. Tom
... View more
Labels
- Labels:
-
table
12-02-2024
06:32 AM
Hello everyone, I am terrible at regex, I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ". I can achieve this in regex101 with: (?<=On-Prem - ).* But, I know in splunk we have to give it a field name. I can't figure out the correct syntax to add the field name so it would work. In example of one I've tried without success: rex field="alert.message" "\?(?<Name><=On Prem - ).*" If possible, could someone help me out with this one ? 🙂 Thanks for any help, Tom
... View more
- Tags:
- regex
Labels
- Labels:
-
regex
11-27-2024
03:07 AM
Hello, Thank you for your help, that did t he trick. Unfortunately, the only option I see is to bring them in as a list. It appears VZEROP002 is always the first on the list. So this should do the trick. Thanks again, Tom
... View more
11-26-2024
10:23 PM
Hello, My apologies, I hope this makes sense, still learning. I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002. But, I can't figure out how to write the query to only look at the state for VZEROP002. The query I'm running is: index=zn | spath "items{1}.state" | search "items{1}.state"=1 But, the search results still return events where VZEROP002 has a state of 2, and VZEROP001 has the state of 1. I hope that makes sense, and thanks in advance for any help with this. Thanks, Tom
... View more
09-12-2024
08:07 AM
Hello,
I'm not sure how to troubleshoot this at all. So I've created a new Python based App thru the Add-On builder that is using a Collection Interval every 60 sec. The App Input is set to 60 sec as well. When I test the script which makes chained API calls that creates events based off of the last API call, it returns within 20 sec.
The App would create about 50 events for each interval, when performing a Search, I would expect every 1 min to see about 50 events, but I'm seeing 6 or 7 per minute.
I ran the following query, and it's showing that the event time and index time are within ms.
source=netscaler| eval indexed_time=strftime(_indextime, "%Y-%m-%d %H:%M:%S") | eval event_time=strftime(_time, "%Y-%m-%d %H:%M:%S") | table _raw event_time indexed_time
When looking at the App log, I see it's only making the final API calls every 20 sec instead of all 50 of the final API calls within ms.
Does anyone have any idea why this would occur and how I could resolve this lag that is occurring?
Thanks for your help,
Tom
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-20-2025
06:12 AM
|
Karma given to
