Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About VI371887
VI371887
Path Finder
Member since:
05-25-2017
06-05-2020
Community Statistics
| Posts | 28 |
| Solutions | 0 |
| Karma Given | 20 |
| Karma Received | 0 |
| Member Since | 05-25-2017 |
Activity Feed
- Karma Re: Can you help me make a trellis single value chart in a single row? for niketn. 06-05-2020 12:50 AM
- Karma Re: Is there an alternative to the Appendcol command? for knielsen. 06-05-2020 12:50 AM
- Karma Re: Is there an alternative to the Appendcol command? for harishalipaka. 06-05-2020 12:50 AM
- Karma Re: lookup two csv pattern match query for anjambha. 06-05-2020 12:49 AM
- Karma Re: Server non availabiity in splunk for niketn. 06-05-2020 12:49 AM
- Karma Re: Server non availabiity in splunk for niketn. 06-05-2020 12:49 AM
- Karma Re: Server non availabiity in splunk for renjith_nair. 06-05-2020 12:49 AM
- Karma Re: How to drilldown an event to see data 15 minutes before and after the events time? for niketn. 06-05-2020 12:49 AM
- Karma Re: How to drilldown an event to see data 15 minutes before and after the events time? for niketn. 06-05-2020 12:49 AM
- Karma Re: Using trellis with simple XML extension for niketn. 06-05-2020 12:49 AM
- Karma Re: Shell script execution after a search and outputcsv for anjambha. 06-05-2020 12:49 AM
- Karma Re: How to extract fields from events where the field location isn't constant and keeps changing? for anjambha. 06-05-2020 12:49 AM
- Karma Re: how to extract only one filed from events out of possible duplicates for richgalloway. 06-05-2020 12:49 AM
- Karma Re: Column width for niketn. 06-05-2020 12:49 AM
- Karma How to add custom message in place of "Search is waiting for input" for a dashboard panel? for pradeepkumarg. 06-05-2020 12:47 AM
- Karma Re: Do this in Simple XML? for helenashton. 06-05-2020 12:47 AM
- Karma Re: Do this in Simple XML? for kmattern. 06-05-2020 12:47 AM
- Karma Re: What is tstats and why is so much faster than stats? for skawasaki_splun. 06-05-2020 12:47 AM
- Karma Re: Change the INDEX for the data received from Splunk Forwarder for Simeon. 06-05-2020 12:45 AM
- Karma Re: How to compare a list of hosts from a week to another for Kellhart. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-10-2019
10:54 PM
open in search fails due to long search size, is there a way to allow open in search option to carry-forward longer query ?
... View more
01-04-2019
03:56 AM
Below is my data in tabular format I want
FUNCTION | HK | SG
AGE |107.773 | 120.644
Burg |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
STO | | 10.115
I wan the function field to be sorted to look like below.. as they come from different applications
FUNCTION | HK | SG
AGE |107.773 | 120.644
RIO |56.803 |
COM | 12 | 61.778
STO | | 10.115
Burg |49.206 | 37.6
I want to be able to show AGE, RIO and other filed under App A first then COM from Application B and then STO & Burg with the goal to have all of these Functions in same table.
is sit possible in splunk ?
... View more
12-21-2018
05:21 AM
Does stats support function inside function like shown below ?
Where first i want to take percentile90 of PERCENT90 field value and then sum it up by function as shown below in query
search........... | eval PERCENT90=round(PERCENT90,2) | eval DAY=strftime(_time, "%d-%m-%Y:%H:%M:%S") | stats DC(DAY) as DayCount **sum(Perc90(PERCENT90))** by FUNCTION
I am trying to get the below result
search........ | rex field=source "APP_(?.*)" | eval PERCENT90=round(PERCENT90,2) | eval DAY=strftime(_time, "%d-%m-%Y:%H:%M:%S") | stats **Perc90**(PERCENT90) as **record** | stats DC(DAY) as DayCount **sum(record)** as SUMA by FUNCTION
so I want to pass the percentile90 calculation done from first stats to next stats sum()
... View more
12-20-2018
10:08 PM
Yes, it looks like below with above query
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
but if i am using time picker for 7 days i will be getting sum of AGE function 7 times
FUNCTION | HK | SG
AGE |754.411 | 844.508
I want to get the average instead of 107.773 x 7 & 120.644 x7 for all functions.
so if i use
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
I get the desired result for function which have only one sub-value but if there's a function with more sub value it even averages the values under it for example :
function like COM has sub values which needs to be sum up..
so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6
so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3
So requirement is sub-values under functions should be summed up only and not average and once they are summed up under Function for a particular day. Once achieved sum of sub-values under a function for the day i want to do a average of function's value by cities.
Function HK SG
... View more
12-20-2018
09:45 PM
Yes I could use avg(PERCENT90) but
each Function field holds 2 to 3
values of ACTION their own which needs
to be grouped under each function.
The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
Now some of the function like COM has sub values which needs to be sum up..
so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6
so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3
if I am using the belowquery
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
... View more
12-18-2018
10:52 PM
Hi All.
I need help regarding one my query, shown below
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart sum(PERCENT90) over FUNCTION by source
Now if i run this query over the 7 days period, ideally i should get day 1 SUM to day 7th SUM averaged by 7
for example
DAY 1 Day 2 Day 3 Day 5 Day 5 Day 6 Day 7
1 2 3 4 5 6 7
is should 28/7 which is 4 similarly if we add day 8 data as 8
result should be 36/8 which is 4.5
but what I am getting is for 7 days 28 and fro 8 day as 36 😞
Can anyone help me understand what i am missing..
Yes I could use avg(PERCENT90) but each Function field holds 2 to 3 values of ACTION their own which needs to be grouped under each function.
The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
Now some of the function like COM has sub values which needs to be sum up..
so COM has sub values :
COM1 : 2
COM2 : 4
COM3 : 6
so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3
if I am using the belowquery
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
... View more
11-28-2018
10:40 PM
Thanks!! this makes it more minimal and easy to migrate.
... View more
11-26-2018
12:56 AM
Thanks!! It worked but can you help me understand what it is doing ?
... View more
11-25-2018
11:56 PM
Need help!!!
I am intending to make a table with the country wise sum(percent90). If i do the below, it will just sum percent90 per FUNCTION
index=int source="*" FUNCTION=* | stats sum(PERCENT90) by FUNCTION
So I tried using append which...
index=int source="HK" FUNCTION=* | stats sum(PERCENT90) as HK by FUNCTION |
append [search index=int source="SG" FUNCTION=* | stats sum(PERCENT90) as SG by FUNCTION]
...would give the below output
FUNCTION | HK | SG
AGE |107.773 |
CLT |49.206 |
COM | 7.497 |
RIO |56.803 |
AGE | | 120.644
CLT | | 37.6
COM | | 61.778
CONSULT | | 10.115
What I am looking for is as shown below, no repetition of Function name below.
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 7.497 | 61.778
RIO |56.803 | 0
CONSULT | 0 | 10.115
So i tried the appendcol command, but it messes up the data, like in the above example, if Function Consult and RIO don't have a value for any country, it would show "0 " instead Appendcol with below query does..
index=int source="HK" FUNCTION=* | stats sum(PERCENT90) as HK by FUNCTION |
appendcols [search index=int source="SG" FUNCTION=* | stats sum(PERCENT90) as SG by FUNCTION]
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 7.497 | 61.778
RIO |56.803 | 10.115
CONSULT | |
It fills the details from Consult in RIO for SG which is wrong.
What can be done here?
... View more
11-14-2018
05:06 AM
Can anyone help with how to access style properties of Splunk inputs like
1. link list
2. Radio Button
3. Dropdown
4. Multiselect
5. CheckBox
like for example if i want modify the width of a panel i give table an Id and then
<style>
master{ width: 06% !important; }
</style>
</html>
... View more
- Tags:
- splunk-enterprise
10-23-2018
01:05 AM
i found the solution provided from @niketnilay
Possible solution
https://answers.splunk.com/answers/562662/using-trellis-with-simple-xml-extension.html
... View more
10-22-2018
11:57 PM
Hi,
I am trying to split my data with the help of a trellis count per category. Right now, i have 15 sub-categories under category, which i want to be displayed in the same row. But, Splunk only allows 10 per row. is there a way to modify it?
Also the height of the trellis to be single row.
... View more
09-12-2018
05:43 AM
I have a dashboard where panels hide/show according to the linked list choices you are making,
Now, i want the choices to have a specific color change and font color. So, when i am trying to use a certain background color, all of the linked list would that background color.
<panel>
<html>
<style>
#link {
color: black !important;
font-weight: bold !important;
background: #e3e7ea !important;
}
</style> </html> </panel>
... View more
08-16-2018
03:06 AM
I ended up using..
| inputlookup hostlist.csv | eval ActiveServer=case(isnull(host),"NO") |
join type=left host [search index="YourIndex" source="YourSource" |
stats count by host ] | fillnull value=0 | search count=0 | table host Role
Where hostlist.csv is lookup with host and its role..
... View more
08-15-2018
10:42 PM
Can we drilldown an event to see data 15 minutes before that events time and 15 minutes after
For example, the event is:
[8/16/18 6:49:41:163 EST] Website crashed Error : 404
[8/16/18 6:58:41:163 EST] Website crashed Error : 404
[8/16/18 7:25:41:163 EST] Website crashed Error : 404
[8/16/18 8:15:41:163 EST] Website crashed Error : 404
So I have a drop-down to select error code and see it's events, above user has selected error 404 for a time which lists all 404 events in last 30 minutes.
If the user selects the first event with [8/16/18 6:49:41:163 EST] they should be able to see 15 minutes before and after.
... View more
07-12-2018
05:18 AM
I tried looking for them, but that would require access to the _internal index, do we have any other way possible ?
... View more
07-06-2018
03:09 AM
Hi All,
I am trying to group different errors that i have extracted to run transform commands, like stats, chart, etc.
i have extracted errors like xyzerror, abcerror, deferror, jklerror.
Now I want to be able to group them under ErrorStrings field and to be able to run something like ...
Query : index=xyz | stats count by ErrorString
So i can get count of each error string or other possible options..
I have tried them with saving whole query in eventtype =ErrorString but it doesn't help, also lookup doesn't seems to help bcuz lack of key value structure of it..
... View more
- Tags:
- splunk-enterprise
07-04-2018
11:33 PM
So what would i have to do if i want to list down the role this servers belongs to.. as tag under which i have gave them role isn't working, I tried
| tstats count as "Yesterday" where index="xyz_w" source="/System.log" earliest=-1d@d latest=-0d@d-1s by host
| appendcols [| tstats count as "Today" where index="xyz_w"" source="/System.log" earliest=-0d@d latest=now by host]
| fillnull value=0
| search Today=0 | table tag host | rename tag as role host as Hosts
also tried appending tag=*
| tstats count as "Yesterday" where index="xyz_w" source="/System.log" earliest=-1d@d latest=-0d@d-1s by host
| appendcols [| tstats count as "Today" where index="xyz_w"" source="/System.log" earliest=-0d@d latest=now by host]
| fillnull value=0
| search Today=0 | append [search tag=*]| table tag host | rename tag as role host as Hosts
... View more
07-04-2018
02:29 AM
Hi All,
I need help with host availability ?
I need a table to list the servers that are not sending data in select time range.. is it possible in splunk ?
this is what i have tried..
index=xyz_w source=/System.log earliest=-1d@d latest=now
| stats values(host) as today
| appendcols
[ search index=XYZ source=/System.log earliest=@w-24h latest=@d
| stats values(host) as yesterday]
| eval different=today-yesterday
| table host
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
