×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bjbrookz
Explorer
Member since: ‎07-16-2024
‎07-23-2024
Community Statistics
Posts 7
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎07-16-2024
Activity Feed
View All

Re: Is now() conflicting with eval of fields?

by in Splunk Search
‎07-23-2024 06:11 AM
‎07-23-2024 06:11 AM
Thank you. The quotes made all the difference, silly mistake.  ... View more

Is now() conflicting with eval of fields?

by in Splunk Search
‎07-22-2024 06:36 PM
‎07-22-2024 06:36 PM
I have a csv that gets loaded weekly... timestamp for events are on load. However, this file has multiple time fields (first discovered, last seen, etc.). I am attempting to find those events (based on the fields) that are greater than 30 days, for example. had this working fine, until I introduced a lookup. I am attempting to show results grouping them by owner (stats) but only those events that are 30 days from first discovered until now().  If I add | where Days > 30, results show every event from the fiel. But I know they are there... anonymized query below. What am I doing wrong? Sample fields being eval'ed:  First Discovered: Jul 26, 2023 16:50:26 UTC Last Observed: Jul 19, 2024 09:06:32 UTC   index=stuff  source=file Severity="Critical" | lookup detail.csv "IP Address" OUTPUTNEW Manager | eval First_DiscoveredTS = strptime("First Discovered", "%b %d, %Y %H:%M:%S %Z"), Last_ObservedTS = strptime("Last Observed", "%b %d, %Y %H:%M:%S %Z"), firstNowDiff = (now() - First_DiscoveredTS)/86400, Days = floor(firstNowDiff) | stats by Manager | where Days > 30     ... View more
Labels

Re: Comma delimited and align left for single valu...

by in Splunk Search
‎07-20-2024 11:38 AM
‎07-20-2024 11:38 AM
I apologize. It does in fact work in a standard search window. However, the panel in the dashboard studio does not. Thanks for your time.  ... View more

Re: Comma delimited and align left for single valu...

by in Splunk Search
‎07-20-2024 10:45 AM
‎07-20-2024 10:45 AM
Thanks, but no dice.  ... View more

Comma delimited and align left for single value......

by in Splunk Search
‎07-19-2024 07:15 PM
‎07-19-2024 07:15 PM
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the stats call but having no luck.  query | stats list(Plugin) by Host, OS, App, Manager | rename list(Plugin) as "Plugin ID" The result is either one or several numbers in a single field - Plugin ID. I would prefer to delimit those results by comma (and align left for the single value results if possible).  Instead of (the lines are supposed to represent the cell/field): ______________ 204188 193574_______ ______193574__   I would like them on a single line, wrapping where necessary: 204188, 193574  193574_______   Any assistance would be appreciated.  ... View more
Labels

Re: Evaluate difference between 2 (string) dates i...

by in Splunk Search
‎07-16-2024 06:43 PM
‎07-16-2024 06:43 PM
Outstanding. That worked perfectly. Thank you.  ... View more

Evaluate difference between 2 (string) dates in th...

by in Splunk Search
‎07-16-2024 06:07 PM
‎07-16-2024 06:07 PM
Hello, I'm struggling mightily with this one. I have two dates in the same event, both are strings.  Their format is below. I would like to evaluate the number of days between the firstSeen and lastSeen dates. I would also like to evaluate the number of days since firstSeen and when the search is performed. Any help would be much appreciated...    firstSeen: Aug 27, 2022 20:18:37 UTC lastSeen: Jun 23, 2024 06:17:25 UTC ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-23-2024 09:47 AM
Karma given to