Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bollam
bollam
Path Finder
Member since:
04-07-2017
06-05-2020
Community Statistics
| Posts | 56 |
| Solutions | 0 |
| Karma Given | 12 |
| Karma Received | 0 |
| Member Since | 04-07-2017 |
Activity Feed
- Karma Re: How to pass lookup field values to the time range? for to4kawa. 06-05-2020 12:51 AM
- Karma Re: How can I append/join the values of sub-search with the main search with the common field in the corresponding row? for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: How can I append/join the values of sub-search with the main search with the common field in the corresponding row? for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: Extraction: How to split the values and search for specific words? for nadlurinadluri. 06-05-2020 12:49 AM
- Karma Re: How to remove field names displaying in the pie chart? for paramagurukarth. 06-05-2020 12:49 AM
- Karma Re: How to assign a default value to the count when there are no events? for gcusello. 06-05-2020 12:49 AM
- Karma Re: How to restrict events based on the time range? for FrankVl. 06-05-2020 12:49 AM
- Karma Re: Grouping multiple pie charts and adding them in the drop down menu for harishalipaka. 06-05-2020 12:49 AM
- Karma Re: How to enable/disable a saved search using Python SDK? for paramagurukarth. 06-05-2020 12:49 AM
- Karma Splunk IT Service Intelligence: Why is service show a value of "N/A" where all underline KPIs show value? for sandipan1982. 06-05-2020 12:48 AM
- Karma Re: merge two search results for ramab. 06-05-2020 12:46 AM
- Karma Re: Merge two fields into one field for lguinn2. 06-05-2020 12:46 AM
- Posted How to automatically set earliest and latest to the panels when the dashboard loads? on Dashboards & Visualizations. 02-24-2020 05:19 AM
- Tagged How to automatically set earliest and latest to the panels when the dashboard loads? on Dashboards & Visualizations. 02-24-2020 05:19 AM
- Posted Re: How to pass lookup field values to the time range? on Dashboards & Visualizations. 02-22-2020 10:29 AM
- Posted How to pass lookup field values to the time range? on Dashboards & Visualizations. 02-21-2020 05:51 PM
- Posted How to filter results between lookup and the results of the query? on Getting Data In. 05-15-2019 08:45 PM
- Tagged How to filter results between lookup and the results of the query? on Getting Data In. 05-15-2019 08:45 PM
- Posted How to use results of stats command in other stats commands? on Splunk Search. 12-18-2018 10:15 PM
- Tagged How to use results of stats command in other stats commands? on Splunk Search. 12-18-2018 10:15 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-24-2020
05:19 AM
Hello,
I have a dashboard which contains couple of panels and it receives events once in a month for a year calendar.
I have specific dates for each months.
Let's say for the current month it has events on 10-02-2020 and earliest is "02/10/2020:00:00:00 and latest is "02/10/2020:24:00:00", In the next month it will be on 20-03-2020, In such a way every month it has events on a specific day.
When I load the dashboard the earliest and latest values should be set for the current month on the day when events arrived. When the next month(March) events arrives the earliest and latest should be set as earliest = "03/20/2020:00:00:00 and latest is "03/20/2020:24:00:00".
The earliest and latest values should not change until next month date is matched.
... View more
02-22-2020
10:29 AM
@to4kawa Thank you! It worked..
But I wanted to use the result of the query to change the token using eval. But it's not working.
I need to check a specific value of the earliest from the result. If it matches then I need to use the token and assign some other value to it.
The token value is not getting effected in the panel. Can you help me on this?
<input type="dropdown" token="timepicker" searchWhenChanged="true">
<label>time piker</label>
<fieldForLabel>Month</fieldForLabel>
<fieldForValue>query</fieldForValue>
<search>
<query>| inputlookup sample_file
| foreach *est [ eval <<FIELD>> = round(strptime(<<FIELD>>,"%m/%d/%Y:%T"))]
| eval query="(earliest=".earliest." "."latest=".latest.")"
<earliest>0</earliest>
<latest></latest>
</search>
<change>
<eval token="abc">if('query.earliest'= 1577817000, (earliest=1577817000 latest=15777903400), (earliest=1577817000 latest=15777903405))</eval>
</change>
</input>
<panel>
<html>token value: $timepicker$ $abc$</html>
</panel>
... View more
02-21-2020
05:51 PM
Hello,
I have a lookup file which has fields Month, earliest, latest. I have drop down name "Month" which gives me the list of all the months from the lookup table. When I choose a month from the drop down the respective values of the earliest and the latest should be passed to the searches or time range token in the dashboard.
Month earliest latest
Jan 01/15/2020:03:34:45 01/15/2020:05:34:45
Feb 02/15/2020:03:34:45 02/15/2020:01:34:45
Mar 03/15/2020:03:34:45 03/15/2020:07:34"45
Apr 04/15/2020:03:34:45 04/15/2020:08:34:45
... View more
05-15-2019
08:45 PM
Hello,
I have a lookup file which contains field and it’s values as follow.
Country location
India Andhra Pradesh
Himachal Pradesh
Madhya Pradesh
USA San Fransisco
San Andrea
Illinois
China Beijing
Jiangsu
Anhui
I have a query which gives the results as follow.
India Andhra Pradesh
India Madhya Pradesh
USA San Fransisco
China Beijing
China Anhui
I would like to filter out the one’s which are missing in the results and present in the lookup file.
Expected output:
India Himachal Pradesh
USA San Andrea
USA Illinois
China Anhui
... View more
- Tags:
- filter
12-18-2018
10:15 PM
Hello,
I need some assistance on the following scenario.
Let's say I have a fields "Country" "cities" "command"
These are few events:
These are few cities of India.
Country=India, cities="Hyderabad, Bangalore, Kerala" command="common"
Country=Srilanka cities="Kandy, Colombo, Galle"
Country=Australia cities="Melbourne, sydney, Adelaide" command="common"
Country=USA cities="California, Cupertino, NewJersey"
Country=UK cities="Manchester, Headingley, Edgbaston" command="common"
Country=china cities="Beijing, Shanghai, Tianhe, common"
I have a sample query which gives me the result of source
index=sai_core sourcetype="city_log" command="common"
| makemv delim="," cities
| stats values(cities) as cities by source
I want to make use of these results of source to use as a group by for another search.
index=sai_core sourcetype="city_log"
| makemv delim="," cities
| stats values(cities) as cities by source
How do I do this?
... View more
- Tags:
- stats
12-06-2018
08:32 AM
@renjith, No, value of 210491 does not have in tag in the type=First but for id_second=210491 has the value in tag for type=Second. In this case tag should be considered as great since it's not present in the type=First.
When the ran the query you provided, I'm not getting the values of tags but it's just displaying values as okay to all the events of tag.
index=sai_core sourcetype=firstsecond_log
| eval ID=coalesce(id_first,id_second)
| stats values(eval(if(type="First",tag,null()))) as _tag1,values(eval(if(type="Second",tag,null()))) as _tag2 by ID
| eval tag=if(_tag1!="", _tag1, _tag2)
I do not understand where is the value "okay" is coming. There is no word "okay" exists in the event.
How can I view the values of _tag1 and _tag2?
ID tag
210468 okay
210469 okay
210470 okay
210483 okay
210487 okay
210491 okay
... View more
12-05-2018
11:37 PM
Hello,
I have got events with two different types: Type=First and type=Second
I would like to get the consolidated(with unique tags) from both the types based on the following conditions.
If both types have a values of tag, then on priority, it should consider value of tag from the type=First and ignore the tag value from type=Second, even if it has value or not.
ii) If tag has no value — i.e., "" in type=First and tag of type=Second has the value — then it considers the value from type=Second for the same id of type=First.
iii) if both the types have no value in tag, then we can ignore this.
Note: the values of id_first and id_second has same values but the naming convention is different.
time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210468" user="abc" tag="some"
time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210469" user="xyz" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210470" user="wow" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210483" user="rez"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210487" user="yov" tag="wrong"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210491" user="boh" tag=""
time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210468" user="abc" tag="some"
time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210469" user="xyz" tag="where"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210470" user="wow" tag="fishy
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210483" user="rez"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210487" user="yov" tag="wrong"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210491" user="boh" tag="great"
output:
tag id
some 210469
where 210469
fishy 210470
wrong 210483
great 210487
... View more
12-05-2018
11:35 PM
@tom_frotscher, Please find the events and a bit more description on the requirement.
I have got events with two different types, Type=First and type=Second
I would like to get the consolidated(with unique tags) from both the types based on the following conditions.
If both types have a values of tag then on priority it should consider value of tag from the type=First and ignore the tag value from type=Second even if it has value or not.
ii) If tag has no value i.e., "" in type=First and tag of type=Second has tha value then it consider the value from type=Second for the same id of type=First.
iii) if both the types has no value in tag. we can ignore this.
Note: the values of id_first and id_second has same values but the naming convention is different.
time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210468" user="abc" tag="some"
time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210469" user="xyz" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210470" user="wow" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210483" user="rez"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210487" user="yov" tag="wrong"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210491" user="boh" tag=""
time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210468" user="abc" tag="some"
time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210469" user="xyz" tag="where"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210470" user="wow" tag="fishy
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210483" user="rez"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210487" user="yov" tag="wrong"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210491" user="boh" tag="great"
output:
tag id
some 210469
where 210469
fishy 210470
wrong 210483
great 210487
... View more
12-05-2018
02:24 AM
Update:
both types will have a common id. If typeA does not contain the "Success" with id "123", It should consider the value of "Success" from typeB which as same id "123"
... View more
12-05-2018
02:12 AM
Hello,
I have got two type of events, typeA and typeB, In both the fields I'm interested in only a single field "Success".
Either if the field Success does not exist or it's value is "" in typeA then it should consider the value of Success from the typeB.
How do I do this?
... View more
- Tags:
- case
12-04-2018
12:35 AM
@whrg, That way it won't work because i want the values of the start_time to be used in the by clause.
I got it solved without join but looking for an optimal way.
index=main
| search trainId="somevalue"
[ search index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job
| table start_time ]
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job
... View more
12-03-2018
10:06 PM
index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job
Whatever the output that returns by the field start_time from the above search need to be used in the by clause for the below query.
index=main
| search trainId="somevalue"
stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job
... View more
12-03-2018
08:58 PM
I tried this query and it's giving me the output what im looking at. But is it possible to get the output without join command?
index=main
| search trainId="somevalue"
| join start_time
[ search index=main
| search trainId="somevalue"
| stats earliest(start_time) as start_time by job
| table start_time ]
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table start_time pct job
... View more
12-03-2018
08:54 PM
The total_cpu is the common for all the events.
I'm adding another row for job B which is job B 6am
I want output to be as below.
Job A, 6am, 25 pct_value
job B, 6am, 10 pct_value
... View more
12-03-2018
12:13 AM
I'm trying to calculate the percentage of resources that are consumed by a job based on the start time of the job.
Each job has more than one event and startTime could vary in the events. So I'm considering the earliest start time of the job.
Using eventstats is not producing the events which im looking at.
stats earliest(start_time) as start_time by job, If this is replaced in the place of eventstats im getting the results what I want.
Can someone assist me on this?
index=main
| search trainId=acggalladks"
| eventstats earliest(start_time) as start_time by job
| stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job
| eval pct = round((MB/total_cpu)*100, 2)
| table pct job
... View more
- Tags:
- stats
12-02-2018
10:41 PM
@kamlesh_vaghela, Thanks much!! It worked
... View more
11-30-2018
12:43 AM
Hello,
I'm trying to plot a graph based on three fields.
The events contain the job, startTime, usedMemory. I want to plot a graph based on the start_time(epochTime) of the job.
I have a query written as follow.
index=main
| eventstats earliest(startTime) as start_time by job
| stats first(totalMB) as total sum(UsedMB) AS a by start_time, stage
| eval pct=round((a/total)*100,2)
| table start_time stage pct
This query is giving me the right results as expected.
job start_time pct
b 00:05 20
c 00:10 15
f 00:25 55
a 00:00 40
d 00:15 60
When trying to plot a graph using following query, The job is getting sorted in the ascending order which I do not want.
I wanted the way how it is shown above on the x-axis ( b c f a d )
I need the values on the x-axis how the results with table command.
index=main
| eventstats earliest(startTime) as start_time by job
| stats first(totalMB) as total sum(UsedMB) AS a by start_time, job
| eval pct=round((a/total)*100,2)
| table start_time job pct
| chart avg(pct) as Mem_used by job
... View more
11-29-2018
06:37 PM
@renjith.nair Awesome!! It works like a charm.. Thank you!!
Curious to know if it can be attained using join/append command?
... View more
11-28-2018
10:27 PM
For an instance, I want to calculate the runtime of each stage of two trains and but there are stages which one of the trains do not have.
In such case it should be left empty.
Query which is written:
index=main
| search train_name="train_1"
| stats earliest(start) as start_time latest(finish) as finish_time by stage, train_1
| eval difference = (finish_time - start_time)
| eval final_time = tostring(difference, "duration")
| join stage type=inner
[ search index=main
| search train_name="train_2"
| stats earliest(start) as start_time latest(finish) as finish_time by stage, train_2
| eval difference = (finish_time - start_time)
| eval final_time_train2 = tostring(difference, "duration")
| table stage train_2 final_time_train2 ]
| table stage train_1 final_time train_2 final_time_train2
this is skipping the values which are having common, I want all of them to be listed out.
The output should look like below.
Stage train_name runtime_train1_mins train2_name runtime_train2_mins
abc train_1 20 train_2 40
def train_1 30 train_2
123 train_1 train_2 50
456 train_1 40 train_2 30
xyz train_1 train_2 25
gee train_1 55 train_2
... View more
11-12-2018
07:54 PM
I need help with the following scenario.
I want to join one of the fields of the main search to the sub search,l which does not exist in the sub search, to make some calculations.
First search:
index=main type=test
| eval totalUsage=upper(mvindex(split(usage,"."),0))
| table index, total_memory, type
The second search does not contain the total_memory field and I want to inherit "total_memory" from the first search in order to calculate the "used_memory".
Below is the query I have written, but it does not give me the results. I would require help achieving the desired results.
index=main type=test
| eval totalUsage=upper(mvindex(split(usage,"."),0))
| table index, total_memory, type
| join total_memory
[ search index=main type=test
| used_memory = round(current_memory/total_memory * 100, 2) ]
| table index used_memory total_memory
... View more
- Tags:
- join
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
| User | Karma Count |
|---|---|
| 1 | |
| 2 | |
| 1 | |
| 2 | |
| 1 |
