Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About willial
willial
Communicator
Member since:
11-12-2013
06-05-2020
Community Statistics
| Posts | 53 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 17 |
| Member Since | 11-12-2013 |
Activity Feed
- Karma Re: Conditional count in stats function for somesoni2. 06-05-2020 12:47 AM
- Got Karma for How to embed an image in a simple XML dashboard with HTML?. 06-05-2020 12:47 AM
- Got Karma for Re: Conditional count in stats function. 06-05-2020 12:47 AM
- Got Karma for Conditional count in stats function. 06-05-2020 12:47 AM
- Got Karma for Create field extraction before linebreaks and apply it to broken-out sections after?. 06-05-2020 12:47 AM
- Got Karma for Re: Not Reading Dropdown Form Tokens. 06-05-2020 12:47 AM
- Got Karma for Re: How to configure Transforms.conf and Props.conf to break logs into individual events by timestamp?. 06-05-2020 12:47 AM
- Got Karma for Who's downloading my app?. 06-05-2020 12:47 AM
- Got Karma for Is there a way to send data to Splunk over SSL from a third-party device without using a forwarder?. 06-05-2020 12:47 AM
- Got Karma for How to embed an image in a simple XML dashboard with HTML?. 06-05-2020 12:47 AM
- Got Karma for How to embed an image in a simple XML dashboard with HTML?. 06-05-2020 12:47 AM
- Got Karma for Re: Conditional count in stats function. 06-05-2020 12:47 AM
- Got Karma for How to embed an image in a simple XML dashboard with HTML?. 06-05-2020 12:47 AM
- Got Karma for How to embed an image in a simple XML dashboard with HTML?. 06-05-2020 12:47 AM
- Got Karma for How to embed an image in a simple XML dashboard with HTML?. 06-05-2020 12:47 AM
- Got Karma for How to expand multiple multivalue fields?. 06-05-2020 12:46 AM
- Got Karma for Re: REX command: something or something or nothing. 06-05-2020 12:46 AM
- Got Karma for How to expand multiple multivalue fields?. 06-05-2020 12:46 AM
- Posted Re: Is it possible to extract multiple timestamps from individual lines at search time and then use the time picker on them? on Getting Data In. 08-11-2015 01:02 PM
- Posted Re: Is it possible to extract multiple timestamps from individual lines at search time and then use the time picker on them? on Getting Data In. 08-11-2015 12:52 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 6 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
08-11-2015
01:02 PM
Here's my workaround.
I've created a dropdown to mimic parts of the time picker, in this fashion:
Last hour, -1h
Last day, -1d
Last month, -1mon
I'm doing this:
convert mktime(time) AS time | where time>relative_time(now(),"$fauxTimePicker$")
The first part converts the human-readable timestamp "time" into epoch. The second part checks to make sure that value is within the range created between now() and the relative time value from my dropdown.
It's not a fully-functional time picker, but it's a fair enough workaround.
... View more
08-11-2015
12:52 PM
I've made no indication that I'm editing or have edited files in system/default -- I pointed out that SHOULD_LINEMERGE defaults to true in system/default/props.conf and that since I'm not setting it elsewhere, it's true. Which you indicated was some sort of problem.
I'm editing files in apps/appname/default.
... View more
08-11-2015
10:31 AM
File contents are tricky, since they're not always standard. Also they're too big to post. Suffice to say, they consist of a bunch of various system output, with one section being dedicated to system logs as I explained above, always following this format:
1/1/2015 12:34:56 <Log header> Log text.
inputs.conf is (plus one stanza seting SSL password, rootCA, serverCert):
[tcp://port#]
connection_host = dns
index = myindex
sourcetype = my-type
[tcp-ssl:sslport#]
index = myindex
sourcetype = my-type
I've masked these slightly. The sourcetype is unique to these inputs.
props.conf is (some of these files are really big -- 100,000+ lines)
[default]
TRUNCATE = 0
MAX_EVENTS = 150000
I'm not setting LINE_BREAKER or SHOULD_LINEMERGE. SHOULD_LINEMERGE defaults to true in the system/default/props.conf, of course.
... View more
08-11-2015
08:24 AM
That's the point: I'm not doing anything in transforms, my props file is just two lines to keep from truncating large files (from above: TRUNCATE for long lines and MAX_EVENTS for big linecounts), and my inputs just pull in tcp/ssl and set a sourcetype.
... View more
08-11-2015
08:05 AM
My file does not get split into multiple events. I am forced to extract the timestamps manually. I don't know why this is the case. I'm certainly not doing this on purpose.
... View more
08-11-2015
07:04 AM
If you look back at my initial question, you'll see that Splunk is not splitting the file into multiple events. It's retaining the entire file as a single event. It is not extracting the timestamp for each line, which is why I'm trying to do it manually in the first place.
... View more
08-10-2015
11:44 AM
In my cases, the timestamp isn't typically in the filename. I see _time, but it's unclear on where it's being extracted from.
All the timestamps that I actually want are extracted neatly with rex, so that I have: timestamp, logfield1, logfield2,logfield3, etc... where all my necessary log data is lined up with a timestamp, but then I find I can't do anything with the timestamp for filtering purposes without building my own faux time picker with form inputs.
... View more
08-10-2015
10:59 AM
inputs.conf: setting one tcp and one ssl input
props.conf: setting TRUNCATE and MAX_EVENTS
transforms.conf: not using anything here
Command outputs about 75 fields.
... View more
08-10-2015
10:34 AM
I have a log file that's made up of timestamped log messages, so there's a _time for the file, but then multiple timestamps for each individual message, as such:
1/1/2015 12:34:56 Log message here
1/1/2015 01:23:45 Other log message here
I'm extracting the timestamps using rex, but I haven't found a way to use them yet. I'd like to use them with the time picker if at all possible.
... View more
06-18-2015
07:54 AM
I think we broke the comment section. Moving up here.
I'm doing event linebreaking at index time, but I'm not actually working with a unique source field per original file since I'm getting data over TCP and UDP -- I'm using files too, but not 100%, which is the only case in which your solution would really work. I'm not pre-processing outside of Splunk, I'm using props.conf and transforms.conf stanzas to handle the event linebreaking at index time. What I'm really looking for, and what I think would be most useful, is a way to extract a value from the input before event linebreaking and then embed it in each new event after.
... View more
06-18-2015
07:35 AM
No, the source field is not unique in that source = source = source = source = source for most files, unless you're literally using individual text files as your inputs. If you're gathering data from a TCP source, source is always going to equal TCP:500 or however. Which means when you go to do eventstats by source, and none of your sources are unique, the ID number that's applied to each event is going to be the same one.
This isn't crazy, and there are limited instances in which your solution would work, but this isn't one of them.
... View more
06-18-2015
07:09 AM
I'm sorry if I wasn't clear -- I did try it, and it acted as I stated in my previous comment. The Source field is not unique.
... View more
06-17-2015
12:43 PM
That doesn't work. It just extracts from the very first event that matches the rex for System Type and applies that to every result in the search. Since each section was broken into its own event at index time and there's no overlapping unique information, I don't have any relational linkage between sections.
EDIT: Additionally, the files themselves are too big not to break into smaller events. I still get some truncation issues on subsections, even.
... View more
06-17-2015
11:44 AM
If this is right, I don't think I understand how eventstats works. This may get complicated.
So I made my sample look very generic. My actual ID looks like (sorry for the regex):
System Type: \w+-\w+
(I'm also looking to do similar searches filtering out by MAC addresses and some other things)
I'm pretty sure I can't just ask it to eventstats first("System Type") and expect it to pick up what I want -- also I tried it, so I'm even more pretty sure there. Will I need to build in an auto field extraction or is there a better way around this?
... View more
06-17-2015
11:03 AM
As I mentioned, I'm dividing the files at index time so if I'm searching sourcetype=Section2 or sourcetype=Section3, the ID number isn't in the current search results to run eventstats on. The files are ~15,000 lines long and contain 20 or so sections, so I can't really manage them at search time in their original format.
... View more
06-17-2015
08:43 AM
The sections are broken out at index time, so I can't grab the ID from Section1 if I'm searching on Section3. Currently I lose the relationship between sections, which is why I'm trying to put a unique identifier in all sections so they can be tracked after they're broken out.
... View more
06-17-2015
07:54 AM
1 Karma
Let's say I'm doing extractions on a really big file, thousands of lines, that looks like this:
Section1
ID_Number: 12345
lots and lots of text
@@@
Section2
lots and lots of text
@@@
Section3
lots and lots of text
So I've set up props and transforms to handle it so that it breaks at the @@@, and each section is a sourcetype -- sourcetype=Section1, sourcetype=Section2, etc.
My question is this: that ID_Number in the first section is important, is there any way to extract it and add it to each section/sourcetype as a field so that it's not stuck only in Section1?
... View more
04-28-2015
07:00 AM
The solution there is for creating a new field. I'm trying to reference an existing field.
... View more
04-27-2015
06:54 AM
More convoluted. I want to copy the value from the field whose name is specified in monthSearch1 (field 201507 in the example, yielding 12) to month1.
... View more
04-24-2015
12:26 PM
Sadly, no. I never got anywhere investigating this one.
... View more
