Activity Feed
- Got Karma for Re: Need Help Designing Total Outage Alerts. 03-15-2021 06:53 AM
- Posted Re: Need Help Designing Total Outage Alerts on Splunk Search. 03-14-2021 03:29 PM
- Posted Re: Need Help Designing Total Outage Alerts on Splunk Search. 03-14-2021 02:55 PM
- Posted Re: Need Help Designing Total Outage Alerts on Splunk Search. 03-14-2021 02:48 PM
- Karma Re: Need Help Designing Total Outage Alerts for richgalloway. 03-14-2021 02:20 PM
- Posted Re: Need Help Designing Total Outage Alerts on Splunk Search. 03-13-2021 08:21 AM
- Posted Need Help Designing Total Outage Alerts on Splunk Search. 03-12-2021 05:05 PM
- Posted Re: How do I make a string into a field / variable? on Splunk Enterprise. 02-05-2021 11:27 AM
- Posted How do I make a string into a field / variable? on Splunk Enterprise. 02-04-2021 01:14 PM
- Posted Restricting date range in data from inputlookup on Splunk Enterprise. 12-29-2020 04:27 PM
- Posted Customized Sum Condition on Splunk Search. 11-16-2020 04:46 PM
- Posted Re: How to transform text type token values on dashboard? on Dashboards & Visualizations. 10-15-2020 10:54 AM
- Karma Re: How to transform text type token values on dashboard? for niketn. 10-15-2020 10:53 AM
- Got Karma for How to transform text type token values on dashboard?. 10-11-2020 08:18 AM
- Posted How to transform text type token values on dashboard? on Dashboards & Visualizations. 10-09-2020 03:10 PM
- Tagged How to transform text type token values on dashboard? on Dashboards & Visualizations. 10-09-2020 03:10 PM
- Tagged How to transform text type token values on dashboard? on Dashboards & Visualizations. 10-09-2020 03:10 PM
- Karma Re: What happened to the transposed dates? for richgalloway. 06-05-2020 12:51 AM
- Karma Re: How to return a single value from a subsearch into eval Part 2 for richgalloway. 06-05-2020 12:51 AM
- Posted How to return a single value from a subsearch into eval Part 2 on Splunk Search. 05-20-2020 12:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-27-2023
08:09 PM
Hi @PickleRick again, Many thanks for your responses. TO make make it simple, our requirements are to display the top most used 10 apps by MoM. As per my test the records would exceed around 700k -800k per month records. Appreciated mate!
... View more
03-14-2021
03:29 PM
1 Karma
Figured it out... | inputlookup append=true Provider_Alert.csv where Tier=Tier1 Active="TRUE" | join type=outer [ search index=wsi sourcetype=fdpwsiperf intuit_offeringid IN ("Intuit.tax.ice.ice", "Intuit.platform.turbotaxwindows","Intuit.tax.ctg.ice.109ximportwidget","Intuit.platform.turbotaxipad.turbotaxmac") api_version=* tier=Tier1 | eval offering=if(in(intuit_offeringid,"Intuit.tax.ice.ice","Intuit.tax.ctg.ice.109ximportwidget"),"TTO","TTD") | eval Provider_ID=coalesce(partnerId, legacy_id) | search Provider_ID!=*test* | chart dc(intuit_tid) as import_activity OVER Provider_ID BY offering | fields Provider_ID *] | fillnull
... View more
02-05-2021
11:27 AM
Thank you @scelikok !!
... View more
12-29-2020
05:02 PM
| makeresults
| eval time="01/01/2019"
| eval token_time=relative_time(strptime(time,"%m/%d/%Y"),"+1y")
| convert ctime(token_time) token_time has no problem. | where capability="W2" and token_time>=$time.earliest$ and token_time<$time.latest$ has problem. It is not coming in epoch time.
... View more
11-16-2020
06:47 PM
Try adding below to your search your search
|eventstats sum(last_hour) as last_hour_sum by partnerId Also can't you change eval combo=partnerId."::".provider_id."::".Form_Type."::".host_base_url."::".error_type
| chart dc(intuit_tid) as total_requests by combo time_bucket
| eval partnerId=mvindex(split(combo,"::"),0)
| eval provider_id=mvindex(split(combo,"::"),1)
| eval Form_Type=mvindex(split(combo,"::"),2)
| eval host_base_url=mvindex(split(combo,"::"),3)
| eval error_type=mvindex(split(combo,"::"),4) with |stats dc(intuit_tid) as total_requests by partnerId,provider_id,Form_Type,host_base_url,error_type
... View more
10-15-2020
10:54 AM
This is perfect @niketn ! Thank you! QQ -- What does this do in the <search>? | fields - _time I removed it and my dashboard kept scrolling all the way to the bottom... I added it back then it behaved correctly. I'm not sure if my Dashboard was misbehaving due the absence of this or for some other reason...
... View more
05-20-2020
01:24 PM
1 Karma
By default, returns returns a field name, not a value. To get the value, use | return $total_events .
... View more
05-20-2020
11:33 AM
@to4kawa -- sorry, that was just a test case against that partner. The result of that subsearch can be any partner where the where condition applies
... View more
05-01-2020
03:03 PM
| inputlookup TY18_Splunk_total_data.csv
| where capability="109X"
| stats sum(attempts) by _time
| sort 0 _time
try and check the result.
and when you use streamstats , you should sort it.
Splunk fields is ascii order(1,10,2,20 ... ) and result order same at sometime.
... View more
04-03-2020
02:33 PM
I figured it out. It's the fieldformat that's the constraint. I removed it and I achieved what I wanted.
... View more
03-20-2020
06:47 AM
You can avoid the separate rename command by using the as option in streamstats .
| streamstats sum(*) as *
... View more
03-13-2020
05:54 AM
You can fix this in your base search. You currently have:
((index=wsi_tax_summary sourcetype=stash capability=109* tax_year=2019 ein=* earliest=1578096000 latest=now()) OR (index=summary_dac_tax partnerId!=*Test* tax_year=2018 capability=*109* tax_year=2018 earliest=1546560000 test=1556668800)) (intuit_offeringid=Intuit.platform.turbotaxipad.turbotaxmac OR intuit_offeringid=Intuit.platform.turbotaxwindows OR intuit_offeringid=Intuit.tax.ctg.ice.109ximportwidget)
error_msg_host=SUCCESS partnerId!=*test* partnerId=*
| (evals and stuff...)
All those latest=xxxx and earliest=xxxx clauses can use relative time modifiers. So you can, much as anmolpatel hinted at, do things like this (Trimming out lots of extraneous stuff):
((index=wsi_tax_summary sourcetype=stash capability=109* tax_year=2019 ein=* earliest=-1y@y latest=@y)
I recommend taking a simple search and playing around with those to see their effect, and make sure you understand the difference between @y , -1y@y , and even mixed up things like -1y@w which goes back 1 year, to the closest week to now. (Right now on March 14th 2020, it goes back to March 10th 2019 for me.)
I think with a little use of relative time modifiers, you can achieve what you want.
If you get stuck with anything particular - try it in a simple search, like in your case maybe just one piece at a time, like
index=wsi_tax_summary sourcetype=stash capability=109* tax_year=2019 ein=* earliest=-1y@y latest=@y
Happy Splunking!
-Rich
... View more
03-05-2020
07:24 PM
Hi @hollybross1219,
Try this. Here your panel 1 depends on token partner1 and this token is only set when value of inout text is not "*".
<form>
<label>Label</label>
<fieldset submitButton="true">
<input type="text" token="partner">
<label>Input text</label>
<change>
<condition match="$value$!="*"">
<set token="partner1">$value$</set>
</condition>
<condition>
<unset token="partner1"></unset>
</condition>
</change>
</input>
</fieldset>
<row>
<panel depends="$partner1$">
<title>Panel 1</title>
<table>
<title>Count by sourcetype</title>
<search>
<query>index=_internal earliest=-5m | stats count by sourcetype</query>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Panel 2</title>
<table>
<title>Count by source</title>
<search>
<query>index=_internal earliest=-5m | stats count by source</query>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
... View more
01-24-2020
04:22 PM
Doesn't work. It leads me to the screen in my second attachment in my original question where it says sharing is private but provides no option to switch or change it.
... View more
01-24-2020
11:38 AM
The answer to your question can be found from this Accepted Answer in Splunk Answers.
https://answers.splunk.com/answers/243063/when-you-feed-multiple-field-names-to-the-top-comm.html
... View more
01-17-2020
04:35 PM
Error output is "Error in 'eval' command: The expression is malformed."
This result is not where I described it.
Doesn't "coalesce" evaluate the value of a field?
Yes, coalesce can alias other field name.
| eval EIN = coalesce(ein, EIN)
As this result, both ein and EIN is same field EIN
This order is evaluated in the order of the arguments.
If the event has ein , the value of ein is entered, otherwise the value of the next EIN is entered.
... View more
