Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About rdhdr
rdhdr
Explorer
Member since:
06-12-2024
04-30-2025
Community Statistics
| Posts | 6 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-12-2024 |
Activity Feed
- Posted Re: How to Compare Values Based on Multiple Field Matches on Splunk Search. 09-24-2024 08:09 AM
- Posted How to Compare Values Based on Multiple Field Matches on Splunk Search. 09-24-2024 07:29 AM
- Posted Re: Match One Without Another, with Delay on Splunk Search. 06-14-2024 12:13 PM
- Posted Re: Match One Without Another, with Delay on Splunk Search. 06-14-2024 03:47 AM
- Posted Re: Match One Without Another, with Delay on Splunk Search. 06-12-2024 05:39 AM
- Posted Match One Without Another, with Delay on Splunk Search. 06-12-2024 04:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-24-2024
08:09 AM
Wow, that was a lot simpler than the solutions I was trying to get working. Thank you!
... View more
09-24-2024
07:29 AM
Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values. The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this: SID SERVICE_NAME FILE_NAME SECTION KEY VALUE AAA index global.ini global timezone_dataset 123 AAA dpserver index.ini password policy minimal_password_length 16 AAA index index.ini flexible_table reclaim_interval 3600 AAA dpserver global.ini abstract_sql_plan max_count 1000000 BBB dpserver index.ini password policy minimal_password_length 16 BBB index index.ini password policy minimal_password_length 25 BBB dpserver global.ini abstract_sql_plan max_count 1000000 BBB index index.ini mergedog check_interval 60000 The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show: SERVICE_NAME FILE_NAME SECTION KEY Match index global.ini global timezone_dataset No dpserver index.ini password policy minimal_password_length Yes index index.ini flexible_table reclaim_interval No dpserver global.ini abstract_sql_plan max_count Yes index index.ini password policy minimal_password_length No index index.ini mergedog check_interval No I have tried many different SPL searches, but none have provided the intended result. I would greatly appreciate any assistance or guidance. Cheers, David
... View more
06-14-2024
12:13 PM
This requirement was solved with the following syntax: index = indxtst
| table _time source EVENT_TYPE EVENT_SUBTYPE UID EVENT
| eval diff=now()-_time
| eval type=case(EVENT=="START","START",EVENT="END","END")
| eventstats dc(type) as dc_type by UID
| search dc_type=1 AND (type=START AND diff>300)
... View more
06-14-2024
03:47 AM
Hi, I guess the question I still need an answer to is, how can I apply a time restriction to the START event, but not the END event? Cheers, David
... View more
06-12-2024
05:39 AM
Thanks for the input, Giuseppe. I have not considered a max time between START and END events. I may need to think about that requirement. I notice that you put earliest==-15m AND latest==-5m at the start of the query. It seems to me that this would check whether both START and END events are > 5 minutes old, which would be subject to the same issue I have today, in which the alert fires between START and END events. What I think I need is to find a START event > 5 minutes old, with a corresponding END event of any age. Cheers, David
... View more
06-12-2024
04:26 AM
Hello, I have programs which write status events to Splunk. At the beginning they write EVENT=START and at the end, they write EVENT=END, both with a matching UID. I have created an alert which monitors for a START event without a corresponding END event, in order to find when a program may terminate abruptly. The alert is: index=indxtst
| table _time source EVENT_TYPE EVENT_SUBTYPE UID EVENT
| eval stat=case(EVENT=="START","START",EVENT=="END","END")
| eventstats dc(stat) as dc_stat by UID
| search dc_stat=1 AND stat=START This alert works fine, except sometimes it catches it while the program is running and simply hasn't written an END event yet. To fix this, I would like to add a delay, but that is not working. index=indxtst
| table _time source EVENT_TYPE EVENT_SUBTYPE UID EVENT
| eval stat=case(EVENT=="START","START",EVENT=="END","END")
| eventstats dc(stat) as dc_stat by UID
| search dc_stat=1 AND stat=START AND earliest==-15m AND latest==-5m This pulls back no records at all, even when appropriate testing data is created. What am I doing wrong?
... View more
Labels
- Labels:
-
stats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-30-2025
01:19 PM
|
