Activity Feed
- Got Karma for ITSI not supporting earliest and latest in KPI searches?. 07-29-2024 01:47 AM
- Got Karma for Re: change event handler not working for token from within the same input. 05-04-2021 10:08 PM
- Posted Re: change event handler not working for token from within the same input on Dashboards & Visualizations. 05-04-2021 10:03 PM
- Karma Re: change event handler not working for token from within the same input for ragedsparrow. 05-04-2021 10:02 PM
- Posted Re: change event handler not working for token from within the same input on Dashboards & Visualizations. 05-04-2021 09:36 PM
- Posted change event handler not working for token from within the same input on Dashboards & Visualizations. 05-04-2021 08:22 PM
- Karma Re: How to access "_indextime" to calculate "latency" in "metrics index"? for woodcock. 04-21-2021 04:18 PM
- Karma Re: How to remove the "| Splunk" addition and the green arrow icon from the title in our browser tab in Splunk 6.2? for arkadyz1. 02-11-2021 05:48 PM
- Karma Re: How to block access to the search bar for users in an app? for jlhamlet. 02-03-2021 02:24 PM
- Karma Re: How to edit my scheduled outputlookup search to NOT overwrite the existing lookup table if the new results are blank? for mbenwell. 08-08-2020 08:11 AM
- Karma Re: Cisco ACI Add-on for Splunk Enterprise: What CIM Module data sets does are in compliance for each sourcetype? for guarisma. 06-28-2020 04:44 PM
- Karma Re: Difference between 'show default-hostname' and 'show servername' for Paolo_Prigione. 06-17-2020 05:59 PM
- Karma Re: Splunk 8.0 upgrade has no web server running for woodcock. 06-05-2020 12:50 AM
- Karma Re: How to redirect to two URLs from a Cluster Map? for niketn. 06-05-2020 12:49 AM
- Karma Re: How to migrate a clustered indexer peer to a new hardware in a single-site cluster for richgalloway. 06-05-2020 12:49 AM
- Karma Re: Why are the field names different when using |from datamodel instead of |datamodel in a search? for smoir_splunk. 06-05-2020 12:49 AM
- Karma Splunk ITSI Services showing N/A for MichaelMcAleer. 06-05-2020 12:49 AM
- Karma Re: Splunk ITSI Services showing N/A for MichaelMcAleer. 06-05-2020 12:49 AM
- Karma How to make panel depend on token value? for matstap. 06-05-2020 12:49 AM
- Karma Re: How to make panel depend on token value? for niketn. 06-05-2020 12:49 AM
Topics I've Started
05-04-2021
10:03 PM
1 Karma
Thanks @ragedsparrow. it worked like a charm 🙂
... View more
05-04-2021
09:36 PM
Below is one of the panel searches | pivot `uA_DM_Process_ProcessDetail` Process_ProcessDetail
sum(ProcCPUPercent) as ProcCPUPercent
splitrow AppName as "App name"
splitrow time as _time period $PivotPeriodAutoSolo$
splitrow host as host
filter AppName isNot "Microsoft Windows OS"
$SearchFilter$
| timechart $span$ perc90(ProcCPUPercent) as "avg(ProcCPUPercent)" by "App name"
| join type=outer _time
[| pivot `uA_DM_System_SystemPerformanceSummary` System_SystemPerformanceSummary
max(CPURelativeFrequencyPercent) as "Max.CPURelativeFrequencyPercent"
splitrow _time
period $PivotPeriodAutoSolo$
$SearchFilter$ ] As you can see here, since I have use different formats for span in pivot and timechart commands, I have to do the conversion. And the reason I'm keeping the default value "" (blank) is not to cause any syntax errors in case I use "span" as a timachart option.
... View more
05-04-2021
08:22 PM
I'm having certain panel in my dashboard using | pivot command and others using | datamodel command (coz there are certain things you cant do with pivot). I want to allow the user to select the granularity of the time charts in the dashboard when they select a longer time range. So, in the change event handler, I'm trying to convert the span value compatible with the period argument in pivot. <input type="dropdown" token="span" searchWhenChanged="true">
<label>Granularity</label>
<choice value="">Default</choice>
<choice value="span=1m">1 min</choice>
<choice value="span=15m">15 min</choice>
<choice value="span=30m">30 min</choice>
<choice value="span=1h">1 hour</choice>
<choice value="span=1d">1 day</choice>
<default></default>
<change>
<eval token="PivotPeriodAutoSolo">case("$span$"="span=1m", "1m", "$span$"="span=15m", "15m", "$span$"="span=30m", 30m, "$span$"="span=1h", 1h, "$span$"="span=1d", 1d, 1=1, "auto")</eval>
</change>
</input> But for some reason this change does not get applied.
... View more
Labels
- Labels:
-
simple XML
-
token
08-14-2019
02:26 PM
Hi @trenin, I know this might be too late for a reply, but letting you know anyway.
I was having the same issue and came across your question while searching for an answer.
Are you using any REGEXes for field extractions or timestamp prefixes in your sourcetype?
My problem was that one of the (lengthy) REGEX i was using in the one of the sourcetype definitions was split in the middle and carrid over to the line below and splunk was only considering the first line (malformed REGEX). I spotted it when I was restating splunk and it warned me of it during the validation of .conf files.
After I fixed that it, I had not duplication. So, for me the duplication was for only for the inputs that was using that particular sourcetype.
... View more
08-12-2019
02:41 PM
@melonman, there is an app on splunkbase which does this.
https://splunkbase.splunk.com/app/4030/
But, unfortunately it is not supported in Splunk cloud (as of writing this comment).
... View more
06-05-2019
03:01 PM
Thanks @vanallp. this is exactly what I was facing and it worked.
... View more
05-30-2019
08:42 PM
1 Karma
Yes you can. But you need to make sure the other instance that you are trying to run it against is a Search Peer to the instance you are executing from. That means you cant run it for a remote Forwarder.
you can run it against any hostname you get from below search:
|rest /services/data/indexes count=0 splunk_server=*
| stats count by splunk_server
Example:
|rest /services/data/indexes count=0 splunk_server=*| stats count by splunk_server
| rest splunk_server=splunk05 /servicesNS/-/-/configs/conf-props search="eai:acl.app=search"
| search title=*
| rename eai:acl.app as app, eai:acl.perms.read as read, eai:acl.sharing as sharing
| fields - updated published id eai*
| fields title author splunk_server app read sharing *
| eval title="[".title."]"
| foreach * [eval title=if("<>"="author" OR "<>"="splunk_server" OR "<>"="app" OR "<>"="read" OR "<>"="sharing" OR "<>"="title" OR '<>'="",title,mvappend(title,"<>"."="."\"".'<>'."\""))]
| fields title author splunk_server app read sharing
... View more
05-08-2018
10:48 PM
2 Karma
I experienced this whie working on a Splunk ITSI cloud project. The client wanted to see if there had been a drop in certain type of events in the last 1 hour compared to the average of the same hour 1 week and 2 weeks back.
Apparently : ITSI does not support base searches with earliest and latest statements (time modifiers)
If you create a KPI like that you would not get any error but the KPI summary would not be populated with the expected values. the Alert value in ITSI_summary index would be just N/A
So if you have a search like this...
index=logs sourcetype="searchlogs" Code="*" earliest="-1h" latest=now
| top name countfield=recent limit=0 showperc=0
| join name type=outer
[ search index=logs sourcetype="searchlogs" Code="*" earliest="-169h" latest="-168h"
| top name countfield=distant1 limit=0 showperc=0 ]
| join name type=outer
[ search index=logs sourcetype="searchlogs" Code="*" earliest="-337h" latest="-336h"
| top name countfield=distant2 limit=0 showperc=0 ]
| fillnull distant1 distant2 recent
| eval avg_searches=(distant1+distant2)/2
| eval search_dif=recent-avg_searches
| eval search_dif=abs(if(search_dif>0,0,search_dif))
| where search_dif>0
It would not create any values for the KPI. on the Service analyzer the Service would show up as "N/A" in Grey. And when you click it and go in to Service detail, the KPI will not show any values and would be showing "NaN". If you search the itsi_summary index there would be no values for the alert_value for that KPI.
Instead if you only remove the earliest and latest modifiers from the base search and pick the search window from selection list when creating the KPI in search (or KPI base search) as follows:
index=logs sourcetype="searchlogs" Code="*"
| top name countfield=recent limit=0 showperc=0
| join name type=outer
[ search index=logs sourcetype="searchlogs" Code="*" earliest="-169h" latest="-168h"
| top name countfield=distant1 limit=0 showperc=0 ]
| join name type=outer
[ search index=logs sourcetype="searchlogs" Code="*" earliest="-337h" latest="-336h"
| top name countfield=distant2 limit=0 showperc=0 ]
| fillnull distant1 distant2 recent
| eval avg_searches=(distant1+distant2)/2
| eval search_dif=recent-avg_searches
| eval search_dif=abs(if(search_dif>0,0,search_dif))
| where search_dif>0
It works!
So what if you want to search for a different time range than the options on the 'Calculation Window' drop down (which are last 1min, 5min, 15min and 24 hours)? Like last 1 hour?
first save the KPI with a 'Calculation Window' from the drop down. choose a short 'KPI Search Schedule' like every 1min or 5min
if its a KPI base search you need to assign it to a service.
remember the KPI name assigned to the service, let say 'Search Drop'
search index="itsi_summary" kpi="Search Drops"
look for the value in 'search_name' field. something like "Indicator - Shared - 5ae27a58892b3fcfba2ec5ed - ITSI Search"
open Settings>Searches, Reports, and Alerts
look for that search and click on Edit Search
There you would see the field 'Earliest Time' and 'Latest Time'. You can change the values there to match the base search time range in rlative time abbreviations. If you initially added a time lag for the KPI search (to compensate for indexing lag), remember to ad that in to the values
ex: last 1 hour with 120s lag: Earliest time=-3720s Latest time=-120s
I would like to hear if anyone else has experienced this? If so I'd like to make a feature request to make the calculation window customizable and document the limitation of the base search for KPI.
... View more
05-10-2017
04:44 PM
1 Karma
Hi nhdpotter,
This was the case with me as well. As soon as I changed the management port back to 8089 it worked 🙂
Thanks for the reply.
Note: I'm the same guy who posted the question. But for some internal unknown account/identity screw up I lost access to my account and had to create this new one; lost all history from answers.splunk.com.
... View more
