I'm trying to use transactions to generate a timeline of events where the events are grouped by an eventId I'm recieving up to 2 events as a START and a STOP event, and have to calculate the duration between them based on actualTime. { "action" : "START", "source" : "AS_PLANNED", "timestamp" : "2017-07-12T10:07:14.682+02:00", "eventId" : "1366963140327", "title" : "sadfasdfasdf", "flowPublicationId" : "1366963137812", "timeAllocationType" : "Segment of program", "actualTime" : "2017-07-12T10:07:14.760+02:00", "startTimeAnnounced" : "2017-07-12T10:05:00.000+02:00", "startTimePlanned" : "2017-07-12T10:07:14.760+02:00", "stopTimePlanned" : "2017-07-12T10:12:50.360+02:00", "broadcastDate" : [ 2017, 7, 12 ], "live" : false, "quickReprise" : false, "streamingLive" : false, "streamingOD" : false, "numberOfBlocks" : "1", "blockPartNumber" : "1", "blockId" : "1366963138813" } { "action" : "STOP", "source" : "AS_PLANNED", "timestamp" : "2017-07-12T10:12:50.310+02:00", "eventId" : "1366963140327", "title" : "yyyyyy", "flowPublicationId" : "1366963137812", "timeAllocationType" : "Segment of program", "actualTime" : "2017-07-12T10:12:50.360+02:00", "startTimeAnnounced" : "2017-07-12T10:05:00.000+02:00", "startTimePlanned" : "2017-07-12T10:07:14.760+02:00", "stopTimePlanned" : "2017-07-12T10:12:50.360+02:00", "broadcastDate" : [ 2017, 7, 12 ], "live" : false, "quickReprise" : false, "streamingLive" : false, "streamingOD" : false, "numberOfBlocks" : "1", "blockPartNumber" : "1", "blockId" : "1366963138813" } The query I'm using -> index="morpheus" | transaction eventId | eval start=if(action=="START",actualTime,startTimePlanned) | eval stop=if(action=="STOP",actualTime,stopTimePlanned) | eval duration=(strptime(stop,"%Y-%m-%dT%H:%M:%S,%3N") - strptime(start,"%Y-%m-%dT%H:%M:%S,%3N")) | table actualTime, action, title, start, stop, duration But it seems that I'm not getting the duration correctly calculated. ... View more

Hi I'm trying to break json events comming from tcp input into seperate events. { "action" : "STOP", "source" : "AS_PLANNED", "timestamp" : "2017-03-24T08:29:59.977+01:00", "productionNumber" : "14801720125", "productionType" : "Radio", "eventId" : "1179469773327", "title" : "Some title", "flowPublicationId" : "1179469742812", "channelPresentationCode" : "xx", "channelPresentationName" : "xxyy", "timeAllocationType" : "Segment of program", "actualTime" : "2017-03-24T08:30:00.000+01:00", "startTimeAnnounced" : "2017-03-24T08:06:00.000+01:00", "startTimePlanned" : "2017-03-24T08:06:00.000+01:00", "stopTimePlanned" : "2017-03-24T08:30:00.000+01:00", "broadcastDate" : "2017-03-24", "live" : false, "quickReprise" : false, "streamingLive" : false, "streamingOD" : true, "streamingDestination" : " (WEBCMS)", "numberOfBlocks" : "8", "blockPartNumber" : "5", "blockId" : "1179469768813" } Note that the json is pretty printed with spaces and linebreaks. It works fine if I ommit the spaces and linebreaks with the default json sourcetype, but with the pretty printet version the event get's split into several events. I have figured out I have to create a custom sourcetype and use a custom LINE_BREAKER as stated here https://answers.splunk.com/answers/171197/how-to-get-two-lines-of-json-to-break-as-two-event.html. But I was not able to find the magic rex to ommit spaces and linebreaks. ... View more

I have the following search index="surveillance-status" source="rest://drip status" OR source="rest://drip-status2" | stats count by source, status It gives me 4 rows with the fields source, status and a count for each, since the status can be either OK or ERROR How can i turn this into a pie chart that shows a slice fore each source by status ... View more

I'm testing the new Splunk version using the java client sdk, and are seeing problems connecting to a tcp receiver port 9997. When connecting i'm using a serviceargs map with the values {host=localhost, port=9997, scheme=https, username=admin, password=password} When doing Service.connect(args) i'm getting an error could not connect to Splunk Server @ localhost:9997 - java.lang.RuntimeException: Remote host closed connection during handshake From the splunkd.log there are log entries -> 10-28-2014 19:03:49.815 +0100 ERROR TcpInputProc - Message rejected. Received unexpected 369295360 byte message! from src=127.0.0.1:55247. Maximum message allowed: 67108864. (::) There is no problem when using earlier versions of Splunk eg. 5.3 Best, Preben ... View more

How can I make use of the rangemap when my search returns statis values like [OK or ERROR or WARN] and display a single value with a icon for each ERROR = server, OK = low and WARN = guarded. Somehow I have to translate the ERROR ect. to a number to make use of rangemap i guess ? The search = index=something | sort - _time The search returns a status and a timestamp where only the resent value should count. Normally the single value works like this : <single> <searchString>| stats count as value | eval value = 550 | rangemap field=value none=0-99 low=100-199 guarded=200-299 elevated=300-399 high=400-499 severe=500-599 default=none</searchString> <earliestTime>-15m</earliestTime> <latestTime>now</latestTime> <option name="classField">range</option> <option name="field">value</option> </single> ... View more