cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ianbruton
Explorer
Member since: ‎04-01-2015
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎04-01-2015
Activity Feed
View All

Alternatives to "No Results Found" (fillnull is no...

by in Monitoring Splunk
‎07-12-2018 08:42 AM
‎07-12-2018 08:42 AM
Hello Everyone, I think that I may have a strange use case that I would love some help with. I have a system that processes hundreds of thousands of messages. The system categorises messages into 4 different queues: Express, High, Medium, Low. The system has a performance monitor built into it, this perfmon will keep track of kpi's as the system runs and report the values in messages which we send to splunk. Example message: 07/12/2018 17:12:42.815 +0200 collection="CollectionName" object="MessageRate" counter="High" instance=123 Value=53.82524876723775 Now, the value that I am interested in is "Value", it is the percentage (0.0 - 100.0) of the total messages, taken up by the queue mentioned in the field "Counter" (Still with me?) I.E. Counter == name of the Queue, Value == the % that the Queue represents out of the sum total of messages. So to recap, perfmon is calculating what % of the total messages are in each queue, then sending a message PER QUEUE with the values. What I am trying to do is to set up 4 dashboard panels that display these percentages (one per queue). THE PROBLEM If a Queue has no messages in it, perfmon is NOT sending a message, so the dashboard panel just says: N/A as it has no events to extract 0.0 from, because again, it is never sent by perfmon. THE DESIRED OUTCOME If a Queue has no messages in it the dashboard panel should just display 0 instead of N/A. WHAT I THINK I think that I need to some how set up a conditional search, or a nested search along the lines of: if (searchForExpressMessages == null) . // if no messages in queue Value == 0 . // display 0 else // there must be messages in the queue Run query to pull Value out of the message WHAT I TRIED Many different ways of trying to get evals, rex's and fillnull working, but all to no avail, I can get the panels to display results, but they are not accurate at all, and are just ending up being counts of the number of different values of "Value" Any help would be appreciated greatly. I am heading home from work and will not look at this again for about 16 hours, just FYI. Thank you in advance ... View more

Re: Are there set guidelines for Splunk search bes...

by in Splunk Search
‎03-04-2016 11:12 AM
‎03-04-2016 11:12 AM
Wow, that's a great amount of info for me to go through! Thanks for taking the time to provide it all to me! I will certainly have a deep dive in there and see if there is anything that we can do better. Hopefully some other people will be able to chime in as you say. Thanks again! ... View more

Re: Are there set guidelines for Splunk search bes...

by in Splunk Search
‎03-04-2016 11:09 AM
‎03-04-2016 11:09 AM
Yeah I had a feeling that it was going to be a large topic, given that I couldn't think of a way to encapsulate it in a straight forward question. Thank you for your insight though, this is all great information that I can go back to my team with and we can work on creating a plan to move forward with any changes that we need. And if you can think of any other important areas to look out for , please feel free to let me know 🙂 ... View more

Are there set guidelines for Splunk search best pr...

by in Splunk Search
‎03-04-2016 10:04 AM
1 Karma
‎03-04-2016 10:04 AM
1 Karma
I am not sure exactly how to ask this question, so I will try to just dive right in. Background: I work for a company that has a lot of environments for different customers. The hosts in these environments are all feeding their logs Splunk via a forwarder installed on each host. We have started to utilize Splunk more and more over the last few months by setting up alerts and dashboards and such, which is putting more load on the Splunk infrastructure. Issue: I wanted to see if there was any set of guidelines for how you we should be using Splunk. Is there a right way and a wrong way to write a search, e.g. Are there methods that we should avoid using because they are inefficient and you can get the same results with a search that has been thought out more? Getting down to brass tacks, it looks like more and more of our monitoring is going to be handled by Splunk and I don't want it to become this big bloated monster. I want to try and see if we can streamline what we are already doing before we add more checks (and more importantly reliance) onto the system. I have been going through some of the posts that are already on here and some of the submissions on this page: http://wiki.splunk.com/Community:More_best_practices_and_processes, but I just thought it would be a good idea to do it here too. Any help or insight would be greatly appreciated, even a link to another knowledge base would be great. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All