Hi Splunk gurus. I have a query problem thats been challenging me for a while. When my polling breaks, or when counters reset to zero for whatever reason (i.e. the device i'm polling is rebooted) i get a situation like this (red shading = condition when broken, green = when polling resumes properly): Soi basically get a HUUUUUUGE spike in my graphs which destroys the rest of the fidelity on the Y-axis scale. As so: Any ideas how i can solve this condition at the splunk search / SPL layer? I dont believe ill be able to ever fix it at the device layer, so will need the dashboards to handle the condition and work around it somehow. Im sure im not the first to solve this problem, so didnt want to re-invent the wheel (a quick search of the forums couldnt help me). heres my SPL for anyone that wants to copy/paste to give me a hand!. Thanks all! sourcetype=_json source="/Applications/Splunk/etc/apps/_kapp/bin/_KNETWORK/getPFSENSEstats.py" | streamstats current=t global=f window=2 earliest(vtnet0BytesInPass) as lastBytesIn latest(vtnet0BytesInPass) as currentBytesIn earliest(vtnet0BytesOutPass) as lastBytesOut latest(vtnet0BytesOutPass) as currentBytesOut | eval mbpsIn =(currentBytesIn - lastBytesIn )*8/1024/1024/60 | eval mbpsOut =(currentBytesOut - lastBytesOut)*8/1024/1024/60 ... View more

Hi guys, i need help with a search. I believe it's a subsearch that i need (I need a variable output of one search to feed another search), but I cant make it work. Basically, i have written code that polls a weather forecast API and spits back JSON, which Splunk gobbles up. Trouble is, the API call is made several times a day, which means i get several, duplicate predictions in my data set. I only want to take the latest data, and ignore all previous. Here is my search which works well in giving me the table i need, when i have a clean index (i.e. only one API poll has been ingested thus far): sourcetype=_jsonFUTURE BOMPREDdate | eval Day = strftime(_time,"%a") | eval Date = strftime(_time,"%F") | sort _time | table Day, Date, BOMPREDrainChance, BOMPREDrainMM, BOMPREDdescBrief, BOMPREDdescDetail | rename BOMPREDrainChance as "Rain%", BOMPREDrainMM as "RainMM", BOMPREDdescBrief as "ForecastBrief", BOMPREDdescDetail as "ForecastDetail" but when the API poll script has run twice, for instance, the table now has duplicates as shown below: In my JSON data set, i have now included a field ive called 'BOMPREDapiPollTime' which is an epoch time that the script was executed...so the 7 JSON events that get ingested each time the script is run, all share the same value 'BOMPREDapiPollTime' as shown below. So, all i believe i need to do is: a) find that latest timestamp of 'BOMPREDapiPollTime' - which i can do with the search 'sourcetype=_jsonFUTURE BOMPREDdate | stats latest(BOMPREDapiPollTime) as pollTime' b) feed that into my working search (pictured above) - i believe with a subsearch... I have tried variants of the below without luck: sourcetype=_jsonFUTURE BOMPREDdate [search sourcetype=_jsonFUTURE BOMPREDdate | stats latest(BOMPREDapiPollTime) as pollTime] | eval Day = strftime(_time,"%a") | eval Date = strftime(_time,"%F") | sort _time | table Day, Date, BOMPREDrainChance, BOMPREDrainMM, BOMPREDdescBrief, BOMPREDdescDetail | rename BOMPREDrainChance as "Rain%", BOMPREDrainMM as "RainMM", BOMPREDdescBrief as "ForecastBrief", BOMPREDdescDetail as "ForecastDetail" BUT I cant make it work! (i always get zero results). Any help would be greatly appreciated. I'm sure it's something stupid I'm doing. thanks in advance guys! Keiran. ... View more

Hi guru's: i have JSON data that looks like the below. { "BOMxmlDlTime": 0.6584670543670654, "TODAY-PLUS-0": { "BOMPREDdate": "2018-12-29", "BOMPREDdescBrief": "Sunny.", "BOMPREDfireDanger": "Very High", "BOMPREDiconCode": 1, "BOMPREDrainChance": 0, "BOMPREDtempMax": 30 }, "TODAY-PLUS-1": { "BOMPREDdate": "2018-12-30", "BOMPREDdescBrief": "Mostly sunny.", "BOMPREDiconCode": 3, "BOMPREDrainChance": 5, "BOMPREDtempMax": 31, "BOMPREDtempMin": 22 }, "TODAY-PLUS-2": { "BOMPREDdate": "2018-12-31", "BOMPREDdescBrief": "Possible shower.", "BOMPREDiconCode": 17, "BOMPREDrainChance": 40, "BOMPREDtempMax": 31, "BOMPREDtempMin": 22 }, "kCryptoDictType": "BOMpredictions" } I want to split each chunk of "TODAY-PLUS-X: { xxxxxx }," into its own event. I've been reading and attempting various things for the last few hours and nothing I can seem to do allows me to do this. The obvious place to split it would be at the line with: }, ... so ive been playing with various combinations of MUST_BREAK_AFTER with regex in props.conf to do this, but nothing seems to make the event split. Here's my current props.conf (in the /etc/system/local/ directory, but have also tried in the /etc/app/xxxxx/local). And, I've been doing a full Splunk restart each time I edit props.conf if anyone was wondering. The last 5 lines i think are bits I've been manually editing (the first bits are auto created from the GUI when o created my new _jsonFUTURE sourcetype [_jsonFUTURE] INDEXED_EXTRACTIONS = json KV_MODE = none NO_BINARY_CHECK = true category = Structured description = K - required by BOM predictions data (needs special event splitting and date extraction logic) disabled = false pulldown_type = 1 BREAK_ONLY_BEFORE_DATE = false MUST_BREAK_AFTER = \}, TIME_PREFIX = \"BOMPREDdate\":\s+\" TIME_FORMAT = %y-%m-%d MAX_DAYS_HENCE = 7 Can anyone please tell me what I'm doing wrong? I'm pulling my hair out !!!! Thanks in advance guys, K. ... View more

Hi splunk gurus! Long weekend here in Australia and i thought id finally get around to ticking something off my wish list: netflow my home network. So ive got a cisco adsl router thats successfully streaming netflow to my splunk box (verified first with tcpdump). At the splunk side, i started off down one path (“Netflow Analytics” until i realised you had to pay, a lot, for that!)... then some searching in here pointed me to “splunk stream”, which seems robust, is free, now installed, and happily gobbling up my netflow stream! See attached photo. Which brings me to the fun part (and my question). Where can i find some pre-canned SPL to start plotting my traffic on pretty graphs? The Stream UI doesnt look to be setup for this. I know i could start to write myself but its a relatively complex dataset, and surely this has been done lots before, so i shouldnt have to reinvent the wheel. So if anyone can point me at some SPL (or an app!) that would be great! Thanks in advance all. Keiran. PS- this is the sort of graph I'm hoping to create (from the paid app - https://splunkbase.splunk.com/app/489): ... View more