cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ulrich_track
Path Finder
Member since: ‎07-23-2014
‎06-05-2020
Community Statistics
Posts 20
Solutions 2
Karma Given 3
Karma Received 5
Member Since ‎07-23-2014
Activity Feed
View All

Why is sorting by time reducing the number of my s...

by in Splunk Search
‎10-28-2014 01:44 AM
‎10-28-2014 01:44 AM
I made a search over two indexes (OR connected) and five sourcetypes (OR connected), limited the time to two days and received 26,300 events. Now I pipe this to a sort _time and suddenly only 10,000 of 26,300 events match? What is wrong here? Since when does sorting filter results? Example: index="index-one" OR index="index-two" sourcetype="sourcetype-one" OR sourcetype="sourcetype-two" OR sourcetype="sourcetype-three" OR sourcetype="sourcetype-four" OR sourcetype="sourcetype-five" | sort _time ... View more

Re: Non-matching timestamps and wrong breaks on ti...

by in Getting Data In
‎10-23-2014 07:55 AM
‎10-23-2014 07:55 AM
Your regex also extracted the timestamp, but as with mine, the whole log was one event with this timestamp. It is a textfile, separators are spaces. Example given below: 2014-10-21 05:01:52.964 INFO at.bcm.skeis [serverScheduler_Worker-1] import successful 2014-10-21 05:01:54.538 INFO at.bcm.skeis [serverScheduler_Worker-1] Reports successfully imported 2014-10-21 05:01:56.586 INFO at.bcm.skeis [serverScheduler_Worker-1] Error during import! 2014-10-21 05:01:58.560 INFO at.bcm.skeis [serverScheduler_Worker-1] 2014-10-21 06:03:44.307 INFO at.bcm.skeis [serverScheduler_Worker-5] import successfull and how come, that the time is not extracted correctly? I mean there is a difference between October 2014 and September 2009 - I can't explain that. ... View more

Non-matching timestamps and wrong breaks on timest...

by in Getting Data In
‎10-23-2014 06:10 AM
‎10-23-2014 06:10 AM
I have a log file with a timestamp at the beginning of an event in the format YYYY-MM-DD HH:MM:SS.mmm. The automatic detection in the data preview does not work, as I have other timestamps in my file as well - so I decided to break on a break-before-regex: \d{4}-\d{2}-\d{2}\s-\d{2}:\d{2}:\d{2}.\d{3} Splunk identifies the very first timestamp, but now identifies the whole log-file as one single event. I tried modifiers like (?m) or (?g), but they did not provide the result I expected. (?m) gives me back one event, (?g) gives me back event-breaks in the middle of an event i.e. at the wrong timestamps. I also tried to add TIME_PREFIX=^ in the props.conf, but that did not change a thing (it doesn't matter, if it's there or not). Furthermore, the timestamp I have in my events and the timestamp displayed by Splunk differ in an unexplicable way. Examples: Timestamp (Splunk) | Timestamp (Event) 10/9/01 12:58:30.013 PM | 2014-10-21 00:02:00.013 10/9/01 5:29:33.824 PM | 2014-10-21 06:21:23.824 10/9/01 5:29:30.133 PM | 2014-10-21 06:21:30.133 What is going on here and how can I fix it? ... View more

Re: How to write regex to extract a field from a l...

by in Splunk Search
‎10-16-2014 12:44 AM
‎10-16-2014 12:44 AM
You can find it out by copying that section in regex101.com and playing around. I found this: During searchtime: | rex "name:\s(?<DBname>\S+)" Or in the field-extractor (?m)name:\s(?<FIELDNAME>\S+) ... View more

Re: How to extract the email address from the my l...

by in Splunk Search
‎10-08-2014 12:06 AM
‎10-08-2014 12:06 AM
True - I forgot - in Splunk you do not search for the string, you search for what is before and after it. ... View more

Re: How to extract the email address from the my l...

by in Splunk Search
‎10-07-2014 02:59 AM
‎10-07-2014 02:59 AM
I would use this regex: <([0-9A-Za-z.]+)(@)([0-9A-Za-z.]+)> Tested it with regex101.com ... View more

Re: How to calculate the number of requests occurr...

by in Splunk Search
‎10-07-2014 12:09 AM
‎10-07-2014 12:09 AM
Here is the regex for extracting the field with the Field Extractor (Hits): (?i) ABC : (?P .+) And here is the statement I put in the search field: | table date_month date_mday date_hour date_minute Hits | delta Hits as tempdiff | eval Difference=tempdiff*(-1) I am first creating a table to display the time and the extracted field, which I called "Hits". Then I calculated the difference using the delta command. To remove the negative prefix, I multiplied the field with -1. ... View more

Re: How to sort the items within a stacked bar cha...

by in Splunk Search
‎10-03-2014 04:07 AM
‎10-03-2014 04:07 AM
I was mistaken. Your script does the job: it checks the total occurrence of each sourcetype and then sorts it on the graph in that order. What confused me, was that sometimes a small bar was in between two large bars, but that's correct because only on this index few sourcetypes showed up - looking at all events, it is correct. For my script, I adapted it a little in the line | eventstats sum(count) AS sum BY index but that's fine, the fields have to be adjusted for the individual case. Thanks! ... View more

Re: How to sort the items within a stacked bar cha...

by in Splunk Search
‎10-02-2014 03:52 AM
‎10-02-2014 03:52 AM
I did - it works until the xyseries command. I was searching for an alternative like chart, but that doesn't display any chart. xyseries seems to be the solution, but none of the bars are sorted by size. Maybe it's just not possible. ... View more

Re: How to calculate the number of requests occurr...

by in Splunk Search
‎10-02-2014 01:10 AM
‎10-02-2014 01:10 AM
I would: 1. Extract the hits as a field with the field extractor 2. use delta count(yourfieldname) AS diff ... View more

Re: How to sort the items within a stacked bar cha...

by in Splunk Search
‎10-01-2014 06:14 AM
‎10-01-2014 06:14 AM
You script works in your case, but I cannot use the tstats command as it ignores my extracted fields. (Splunk does not know them) So I added your script starting with line 2 between my chart-line and my addtotals line, because then the fields are known. All works, also the renaming, but when executing the xyseries, the sorting does not work - the items are not sorted. Which commands should I replace? ... View more

How to sort the items within a stacked bar chart b...

by in Splunk Search
‎09-30-2014 06:44 AM
1 Karma
‎09-30-2014 06:44 AM
1 Karma
I have created a search to produce a stacked bar chart: (each shop sells the same items but in different quantities) * | chart count(ItemType) BY Shop ItemType | and managed to sort the stacked bars by their total size: addtotals fieldname=total | sort -total | fields - total What I am missing is how to sort the items within each bar by size. It would also be ok, to sort only the largest bar and have the others follow the same order. Any ideas? ... View more

Re: Event breaks in an XML-file on multiple tags

by in Dashboards & Visualizations
‎09-26-2014 05:45 AM
2 Karma
‎09-26-2014 05:45 AM
2 Karma
I found it: You have to enter this string in the Regex-field of Data preview (please remove the blanks after the < sign, I added them only because otherwise this forum would not accept it) (?m)^(< Admin>)|(< Order>)|(< Security>)|(< Payment>) It says: (?m) ...go for multiline and do not stop at the first event you find ^...the search term is at the beginning of the line ()...a grouped search term < Admin>...(e.g.) search the exact phrase, case-sensitive |...logical OR statement or directly in the props.conf file: [NameOfTheSourcetype] BREAK_ONLY_BEFORE = (?m)^(< Admin>)|(< Order>)|(< Security>)|(< Payment>) NO_BINARY_CHECK = 1 TIME_PREFIX = < Date_and_time> pulldown_type = 1 The TIME_PREFIX was added by me, because my timestamp was tagged this way. You can leave it out, because your files will probably be tagged differently. ... View more

Re: How to rename field names using lookups and re...

by in Splunk Search
‎09-25-2014 07:48 AM
‎09-25-2014 07:48 AM
Would it be sufficient for you, if you used the rename command in your search? E.g. rename prefix_sm_shrthnd_txt AS "Some Shorthand Text" Unfortunately, this would mean that you would have to rename your complete list in the search field and not use a lookup (depends on the number of entries, you would have here) ... View more

Re: Event breaks in an XML-file on multiple tags

by in Dashboards & Visualizations
‎09-19-2014 03:45 AM
‎09-19-2014 03:45 AM
Here is a typical sample of this file (with adapted XML-Tags < ?xml version="1.0" encoding="UTF-8"?> < Content> < Admin> < Disregard_1>[]< /Disregard_1> < Date_and_time>Mon Jan 13 22:44:53 MET 2014< /Date_and_time> < Domain>01< /Domain> < Disregard_4>18512< /Disregard_4> < Machine_name>Server1< /Machine_name> < Usecase>12< /Usecase> < /Admin> < Order> < Disregard_1>[---]< /Disregard_1> < Date_and_time>Wed Jan 15 11:19:25 MET 2014< /Date_and_time> < Domain>02< /Domain> < Machine_name>Server2< /Machine_name> < Usecase>06< /Usecase> < Actor> < Type_of_actor>USER< /Type_of_actor> < /Actor> < /Order> < Order> < Disregard_1>[---]< /Disregard_1> < Date_and_time>Thu Jan 16 12:18:03 MET 2014< /Date_and_time> < Domain>02< /Domain> < Machine_name>Server2< /Machine_name> < Usecase>06< /Usecase> < /Order> < Alerting> < Disregard_1>ab< /Disregard_1> < Date_and_time>Tue Jan 14 09:56:37 MET 2014< /Date_and_time> < Machine_name>Server3< /Machine_name> < Usecase>01< /Usecase> < /Alerting> < /Content> ... View more

Re: Event breaks in an XML-file on multiple tags

by in Dashboards & Visualizations
‎09-19-2014 01:05 AM
‎09-19-2014 01:05 AM
I am putting the regex in Add data » Files & directories » Data preview in the field Specify a pattern or regex to break before ex: \d+foo\d[2,4], Start Of Event, ^*** the props and transforms are untouched, yet. ... View more

Event breaks in an XML-file on multiple tags

by in Dashboards & Visualizations
‎09-18-2014 06:20 AM
‎09-18-2014 06:20 AM
I have an XML file with multiple tags I want to break on. Not all tags should cause a break, but only a subset. E.g. < Security> ... < /Security> should be an event < Admin> ... < /Admin> should be another event < Order> ... < /Order> should be another event I tried to break on a regex, but it did not work: "< Security>" | "< Admin>" | "< Order>" | "< Payment>" A bonus would be if the header was disregarded/not listed. ... View more

Re: Why are my fields not showing after using inte...

by in All Apps and Add-ons
‎08-27-2014 04:52 AM
2 Karma
‎08-27-2014 04:52 AM
2 Karma
I just found the problem: I named the FIELDNAME with a hyphen inside (Server-ID). When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up. If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they? ... View more

Re: Why are my fields not showing after using inte...

by in All Apps and Add-ons
‎08-27-2014 04:51 AM
‎08-27-2014 04:51 AM
I just found the problem: I named the FIELDNAME with a hyphen inside. When deleting the Field Extraction, creating it again but storing under a name without a hyphen, it showed up. If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they? ... View more

Why are my fields not showing after using interact...

by in All Apps and Add-ons
‎08-27-2014 04:23 AM
‎08-27-2014 04:23 AM
I want to extract fields from my log files. Therefore I used the interactive field extractor. A regex was created, I tested and stored it and gave permissions to the search app. When I enter the search app, my field does not show up. Even when I select the same sourcetype. The field occurs in 195 of 7000 events. What did I miss? Is there also any tutorial on how to use Splunk-specific Regexes (e.g. ?P and that stuff) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
Karma given to
View All