Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ewanbrown
ewanbrown
Path Finder
Member since:
11-11-2013
06-05-2020
Community Statistics
| Posts | 34 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 6 |
| Member Since | 11-11-2013 |
Activity Feed
- Got Karma for Can spath cater for missing values in an array?. 06-05-2020 12:49 AM
- Got Karma for Can you skip the first x rows returned in a search?. 06-05-2020 12:49 AM
- Karma Re: How to compare columns in a row for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Extract one row of data from a table. 06-05-2020 12:47 AM
- Got Karma for How to join my search to a lookup table with more than one field?. 06-05-2020 12:47 AM
- Got Karma for How to pass multiple parameters from a form input to a search?. 06-05-2020 12:47 AM
- Got Karma for How does a user know when a query is complete with a form. 06-05-2020 12:46 AM
- Posted Re: Can you skip the first x rows returned in a search? on Splunk Search. 08-10-2018 04:19 AM
- Posted Can you skip the first x rows returned in a search? on Splunk Search. 08-10-2018 03:56 AM
- Tagged Can you skip the first x rows returned in a search? on Splunk Search. 08-10-2018 03:56 AM
- Posted Can spath cater for missing values in an array? on Splunk Search. 03-16-2018 09:19 AM
- Posted Re: How to show the percentage of unique values on Splunk Search. 08-08-2017 07:33 AM
- Posted How to show the percentage of unique values on Splunk Search. 08-08-2017 06:07 AM
- Tagged How to show the percentage of unique values on Splunk Search. 08-08-2017 06:07 AM
- Posted Re: Percentile values over time on Splunk Search. 04-24-2017 02:51 AM
- Posted Re: Percentile values over time on Splunk Search. 04-24-2017 02:50 AM
- Posted Re: Percentile values over time on Splunk Search. 04-24-2017 02:30 AM
- Posted Percentile values over time on Splunk Search. 04-20-2017 05:17 AM
- Tagged Percentile values over time on Splunk Search. 04-20-2017 05:17 AM
- Tagged Percentile values over time on Splunk Search. 04-20-2017 05:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
08-10-2018
04:19 AM
Thanks! That works
... View more
08-10-2018
03:56 AM
1 Karma
Hi,
If I have a query which returns 100 rows I'd like to be able to only get rows 11-100 shown (and if 200 only rows 11-200)
I have looked for an offset command similar to head or tail but I can't see one. Do you know how I could go about this?
Thanks
... View more
03-16-2018
09:19 AM
1 Karma
Hi,
I have a nested array and I want to compare values across
I've a query that works, apart from when a value is missing (the whole JSON is not present rather than it is empty)
The query snippet is ... | spath output=my_one path=bean.test{}.one | spath output=my_two path=bean.test{}.two ...
In the example with this data below I want my_two to have two values, 45 and null, not one value of 45
{test}
{
one: 23
two: 45
three: 12
}
{
one: 34
three: 67
}
Can I use spath for this, or is there another way?
Thanks
... View more
08-08-2017
07:33 AM
Perfect!
Thanks, I knew it was something to do with eventstats, but couldn't get it to work!
... View more
08-08-2017
06:07 AM
Hi,
I have a simple search that uses top to get the top 10 countries:
search ........ | top Country
It will give the top 10 Countries and percentage.
How can I get the same, but look at the top 10 Countries by unique users?
This :
search ..... | stats dc(ID) as users by Country | sort users desc limit=10
Will give me the top 10, but not show the % for each.
Is there a way to do this?
Thanks
... View more
04-24-2017
02:51 AM
This worked for me:
index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
... View more
04-24-2017
02:50 AM
Thanks for replying. It didn't seem to work. The 99 percentile value seems to get bigger the further back in time you went.
This worked for me though
index=beacon Platform=android | bin _time as Day span=1m | stats count by INID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
... View more
04-24-2017
02:30 AM
Thanks!
This is what I needed
index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day
... View more
04-20-2017
05:17 AM
Hi
I have a query to look at the number of times a user does an event, and then get different percentiles of these. I'd however like to change this to track it over time. I've tried adding in timechart but it has not worked.
Do yo ukow if this Is this an easy thing to do?
Thanks
index=beacon <search query> | chart count by ID | stats perc99(count), perc1(count), perc50(count)
... View more
03-24-2016
03:40 AM
Hi,
I've the answer now, but the source query was:
index=beacons| spath | eval temp=mvzip(mvzip(mvzip('bean.data.matches{}.clusterId','bean.data.matches{}.facility'),'bean.data.matches{}.matchStatus'), 'bean.data.matches{}.cluster') | mvexpand temp | eval x = split(temp,",") | eval clusterId=mvindex(x,0) | eval facility=mvindex(x,1) | eval match_status=mvindex(x,2) | eval cluster=mvindex(x,3) | search cluster=1 OR cluster=2 OR cluster=3 | chart count by clusterId, facility
... View more
03-23-2016
11:46 AM
Hi
I have a query that produces some output like this:
ID server_a.1 server_a.2 server_b.1 server_b.2
1 0 0 1 0
2 1 0 1 1
3 1 1 0 0
I'd like to be able to add to it to tell me the number of ID's which are present in server_a*, but not in server_b* and visa versa. I think I can do it by making this an inner query, however I need to do it across millions of records, so that is not an option
Any help is appreciated!
Thanks
... View more
- Tags:
- splunk-enterprise
02-15-2016
09:16 AM
Thanks, it was almost right, but we have a URL we extract into different fields and it counted that as one, but we wanted each extracted part to be counted
... View more
02-15-2016
04:21 AM
We use splunk to index beacons our application sends in, many of these fields are optional, and we'd like to calculate the average number of fields that we are sent, I've not been able to work this out, and have this so far. (and have tried variants of it)
index=Beacon | fieldsummary | stats values(field), count(field), avg(count(field))
Thanks
... View more
12-22-2015
07:06 AM
Thanks, that's perfect
... View more
12-22-2015
06:49 AM
Hi,
I have a list of IPs, and I want to create a chart showing traffic from them, but I also want a version which excludes the last section. As IPs can be varying lengths, I'm not sure how to do this. I think I need to find the 3rd, and then remove the data after that.
e.g. if I had 3 events
1.2.3.4
1.2.3.5
123.456.567.345
I'd want to show a table like this:
1.2.3 = 2
123.456.567 = 1
Thanks
... View more
08-27-2015
07:11 AM
I have a search in which I want to return the distinct number of users doing an number of actions b1 - b5 split by platform (web & mobile)
This search does not work which makes sense, but is there a way in one search I can get 10 numbers?
index=beacon Platform=mobile OR Platform=web | stats dc(USERID) by Platform, b1, b2, b3, b4, b5
mobile b1 123
mobile b2 567
..
mobile b5 234
web b1 236
--
--
web b5 876
Thanks
... View more
07-21-2015
09:25 AM
I have some data, which includes a user id.
I can count the number of pageviews, and also the number of unique users who have viewed a page with this search
index=beacon BeaconType=pageview | stats count, dc(INID)
I'd like to count the total number of pageviews, but cap each user to only have 10 views included. Do you know if this is possible?
Thanks
... View more
03-19-2015
07:21 AM
Thanks, my problem though is I don't know if they will put in 1 ID, 3, 20 (or any number)
... View more
03-19-2015
05:53 AM
1 Karma
Hi
I have a form that allows users to enter an ID, which will then be populated in a search.
Is there a way to let users put in X number of ID's and have them all searched?
I've not been able to work out a way to do this as my query is something like:
index=beacon id=$id$ | chart count by country
To allow them to put in multiple IDs, all I can think of would be to have:
index=beacon id=$id$ OR id=$id2$ OR id=$id3$| chart count by country
but then you'd need to know ahead of time how many IDs were going to be passed in.
Thanks
... View more
01-20-2015
07:12 AM
Perfect! Thanks (a month after you answered it!!)
... View more
12-23-2014
03:22 AM
1 Karma
Hi
I have a search query that I need to join to a lookup table.
I have it joining to this lookup table TestDec14 and working when I look up the NEW_ID field, but I also need to join to the ID_TYPE field
index=test NEW_ID=123 OR NEW_ID= 456
| lookup TestDec14 NEW_ID
| eval new_add=NEW_ID.",".address
| chart count by new_add
| sort count desc
Is this possible? If so do you have any syntax on how I would do this? I've tried a few options but none have worked
Thanks
... View more
12-08-2014
08:24 AM
Hi,
I have a report which is a basic timechart, but in the output like to put the day of week as well as the day
So Monday 8 December
rather than
8 December
Is this possible?
Thanks
... View more
