Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tjago11
tjago11
Communicator
Member since:
06-01-2017
07-21-2021
Community Statistics
| Posts | 54 |
| Solutions | 6 |
| Karma Given | 0 |
| Karma Received | 11 |
| Member Since | 06-01-2017 |
Activity Feed
- Got Karma for Re: How to get the top 10 max values for each field value?. 03-02-2022 03:00 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Re: Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Re: Constant re-authentication after SSO migration. 06-05-2020 12:50 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Got Karma for Balancing Summary data across indexers. 06-05-2020 12:49 AM
- Posted Re: Splunk Stream Case Insensitive Extraction on Splunk Search. 01-23-2020 06:31 AM
- Posted Re: Finding the Duration between two timestamps on Splunk Search. 10-10-2019 09:28 AM
- Posted Re: Constant re-authentication after SSO migration on Security. 10-10-2019 09:18 AM
- Posted Re: Keep track of max count. on Splunk Search. 10-01-2019 07:59 AM
- Posted Re: Constant re-authentication after SSO migration on Security. 09-27-2019 06:16 AM
- Posted Re: Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 10:10 AM
- Posted Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 07:33 AM
- Tagged Splunk Stream Case Insensitive Extraction on Splunk Search. 09-12-2019 07:33 AM
- Posted Re: How to view raw events in Stream?? on Getting Data In. 09-12-2019 07:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-11-2019
12:59 PM
So, if you are trying to find the sum of values for the given years you'll need to get pretty creative. The way I read your question means you want results for each of the years selected, so if they pick 2018 and 2019 then you'll have two results.
Here is something that runs against the main index, the top section you would have to fix for using your Multi-Select. Should work:
| makeresults
| eval firstDay= "09/09/2019"
| eval secondDay= "09/10/2019"
| eval thirdDay="09/11/2019"
| eval daysCombined = firstDay.",".secondDay.",".thirdDay
| makemv daysCombined delim=","
| fields daysCombined
| eval groupBy="foo"
| append
[| tstats count where index=main earliest=-3d@d by _time span=1d
| eval formattedTime = strftime(_time, "%m/%d/%Y")
| eval groupBy="foo"
| eval {formattedTime}Count = count
| stats first(*Count) as *Count by groupBy
]
| stats list(*) as * by groupBy
| mvexpand daysCombined
| foreach *Count [eval <<MATCHSTR>>Included = if(strptime("<<MATCHSTR>>", "%m/%d/%Y") >= strptime(daysCombined, "%m/%d/%Y"), '<<FIELD>>', 0)]
| stats sum(*Included) as *
Enjoy!!
... View more
09-12-2019
07:23 AM
That's the problem, I don't have sample data. 😉
My data is getting fed from a Gigamon tap at the LTM level. I don't have visibility into the raw tap data and I don't want to log it because it has authentication tokens and other scary stuff.
Working with the OTB HTTP Stream Protocol:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/FileTransfer#HTTP
The field that I want to build an extraction for is src_headers:
src_headers All HTTP headers sent from client to server http.cs-headers
I was able to extract a known header element that is added by an application team using this:
x-parentspantoken[\s:=]+(.{36})
The one I'm struggling with is the x-forwarded-for that is added by our F5 devices. I have this regex:
x-forwarded-for([:\s]+[\d.:\s,]+)
Which is just a guess because I can't see the actual raw header to know if that is right. Possibly a casing issue?? Tried adding (?i) to the front and it gave me an error:
Invalid regex Expression
Poop.
... View more
06-21-2019
06:28 AM
Just confirmed that if I limit the results by the user, the search data does not come back. Did a search with a guid and then went to the internal indexes to see all the places it showed up. When I add in the user restriction it finds nothing, which is good.
index=_* "ec840050-a53f-4b0e-af5a-5f0678bfbcb5" user!=123456
Pretty sure this will work, thanks for the help.
... View more
11-08-2019
09:11 AM
Dude, I've been ignoring this issue for years. You chased it down. Here- take my karma!!
... View more
11-21-2018
11:51 AM
Okay, so ended up having to change how the grouping worked and used a bit of trickery to preserve the granularity I wanted. In essence I pulled stuff out of the "by" clause and put them into "values" columns. The part that gave me grief was being able to get back to the granular counts.
So I took this query:
index=logging sourcetype=mylogs
| sistats count by application, eventcode, eventtext, host
Then moved a couple of the "by" grouping to be a "values" like this:
index=logging sourcetype=mylogs
| sistats count, values(host) as host, values(eventcode) as eventcode by application, eventtext
This caused a problem though because now I can't get the count by host easily. I did notice that the SI contained a private field called prsvd_vm_host that has field values like this:
server1 ; 2 ; server2 ; 4 ; server3 ; 6 ;
I'm pretty sure I could use that field to get back to the original counts by host, but what I need is a combination of the host AND the eventcode. The SI fields work individually but not in tandem. Ended up modifying the query to look like this:
index=logging sourcetype=mylogs
| eval errorLocation_{host}_{eventcode} = 1
| sistats sum(errorLocation_*) as *, values(host) as host, values(eventcode) as eventcode by application, eventtext
By doing this I'm able to get back to the host+eventcode counts, so far working well. The number of events has decreased dramatically and on querying back the data the performance seems good. Looks like having fewer events that are wider performs better than more events that are narrow. Thanks.
... View more
11-09-2018
09:10 AM
I think your suggestion to split up the data by application and run separate jobs and separate sources is a good option. Thanks.
... View more
08-10-2018
11:01 AM
Base Search:
index=ftgv2 sourcetype=FTGTVon* OR sourcetype=FTGTVoff*
| transaction terminalAddress startswith=(eventName=FTGTVOff) endswith=(eventName=FTGTVOn)
I am getting 2 events, one for TVOn and one for TVOff. They record the specific event and time by an identification number (terminalAddress). x axis would be time and y would be 1 for ON and 0 for OFF.
Does that make sense?
... View more
12-13-2018
04:14 PM
How to add _time to the final output?
... View more
07-16-2018
10:34 AM
One thing that I found out the hard way. In my sample I was using the makeresults command to simulate data and test the changes to limits.conf. Rolled the change to production and it is failing...because the rex command is running against the event data on the Indexer, not on the Search Head. :angry:
I'd recommend adding the limits.conf change to both sides to keep them in synch because depending on the query the rex might run on the SH or the Indexer. Thanks.
... View more
05-02-2018
06:47 PM
Can find the full list here.
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Commandsbytype#Streaming_commands
... View more
03-13-2018
05:42 AM
What I find interesting about this is, that Splunk docs say: <change> and <condition> are "Not available for multiselect inputs" 😉
... View more
02-22-2018
11:51 AM
Found the top tools container, it toggles a class called "affix-top" when scrolling vertically:
Normal: <div class="statistics-controls-inner">
Scrolled: <div class="statistics-controls-inner affix-top">
Also found the column header, looks like a copy of the header is toggled when scrolling because the visibility goes from hidden to block:
Normal: <div class="header-table-docked" style="right: 0px; left: 0px; display: none; top: -1000px;">
Scrolled: <div class="header-table-docked" style="right: 0px; left: 0px; display: block; top: 36px;">
But no idea how to get these added to my dashboard. 😞
... View more
03-01-2018
10:01 AM
Been working with our Customer Success Manager and opened a case in Splunk. As of right now there is not a good solution for ensuring the Summary Index data is well balanced. @sjohnson has a good solution if the size of the data files are very large and/or the index cluster is small. Unfortunately with data files that are under 1MB and an index cluster with 18 indexers this won't work for us.
Couple things I'm doing to mitigate the poor balancing:
Run Summary Jobs that rollup to a daily value ever 4hrs (by running more often it is more likely that data isn't all on one indexer)
Run backfill scripts multiple times to get the data in chunks (same as above)
Run Indexer Rebalancing as part of quarterly maintenance
Ultimately there is not a clean way to ensure Summary Index data is ingested to an index cluster in a balanced fashion. But by running things more often and doing maintenance the impact can be mitigated. Thanks.
... View more
06-20-2017
05:16 PM
What do you mean "for the whole server"; you do not have a field called server or anything remotely like it (e.g. host ).
... View more
06-01-2017
09:05 AM
I think your admin should work but you might like to check to see if your admin is added to the admin role
... View more
