cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
waleeper
Explorer
Member since: ‎01-30-2020
‎11-29-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-30-2020
Activity Feed
View All

Re: Can streamstats reset_before (or reset_after) ...

by in Splunk Search
‎11-29-2021 10:16 AM
‎11-29-2021 10:16 AM
This was the right answer.  This will work for most data sets.  You just need to sort by your aggregates first, then _time.  Be sure to put the 0 in the sort so you don't hit the sort limit. Did this with a massive query and it solved my reset issue. ... View more

Re: How do I transpose a trellis label into a code...

by in Dashboards & Visualizations
‎02-14-2020 07:30 AM
‎02-14-2020 07:30 AM
The problem is that if I parse it out with a Rex AFTER I pull in the 2.5M records it takes 10s, if I can use a tag it take 1.5s. I can certainly parse it, this is fundamentally a performance issue of not being able to put what I pass from the drilldown into the initial search criteria. I could put a tag friendly label on the dashboard, but management is going to complain about it saying NewYork-NY or Rochester-MN instead of 'New York, NY'. ... View more

How do I transpose a trellis label into a code for...

by in Dashboards & Visualizations
‎02-13-2020 02:46 PM
‎02-13-2020 02:46 PM
I have a trellis view where I break down my charts into Cities. The labels are something like 'Charlotte, NC'. I can make a drilldown to my details page using the form.city=$trellis.value$. The problem is now I want to improve the performance on my target page. It currently is pulling data for all 100 of my cities then filtering by the city name using a lookup table to convert 'Chartlotte, NC' to 'clt' which I can then apply to a hostname filter. index=data sourcetype=searchdata "string" | eval fields=split(host, "."), market=mvindex(fields, 1) | lookup sitemapping sitecode as market OUTPUT region, sitecity, sitecode | search sitecity="Charlotte, NC" | ... What I would like to do is use tag::host="clt" so that I can filter the records in the initial search. One option is to extract the code somehow from the Trellis, the other is to convert from the label to the code in my query before I do the search part. I tried putting an inputlookup before the search, but that ends up filtering out all the data due to the results of the inputlookup. | inputlookup market-mapping | search sitecity="Charlotte, NC" | fields sitecode | search index=data sourcetype=searchdata "string" tag::host=sitecode The inputlookup by itself returns 'clt' in the example. Running the search by itself returns my data Thanks ... View more

Re: Set multiple tokens using "condition match"

by in Dashboards & Visualizations
‎01-30-2020 09:50 AM
‎01-30-2020 09:50 AM
According to the form documentation you can only have one change block. https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/PanelreferenceforSimplifiedXML#change_.28form_input.29 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-29-2021 01:59 PM
Karma given to
View All