Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mbond81
mbond81
Engager
Member since:
04-10-2015
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-10-2015 |
Activity Feed
- Karma Re: filter stats on two different "where" clauses for niketn. 06-05-2020 12:48 AM
- Posted Re: filter stats on two different "where" clauses on Splunk Search. 06-17-2017 08:58 AM
- Posted Re: filter stats on two different "where" clauses on Splunk Search. 06-17-2017 08:56 AM
- Posted Re: filter stats on two different "where" clauses on Splunk Search. 06-17-2017 08:51 AM
- Posted Re: filter stats on two different "where" clauses on Splunk Search. 06-17-2017 05:04 AM
- Posted filter stats on two different "where" clauses on Splunk Search. 06-16-2017 04:47 PM
- Tagged filter stats on two different "where" clauses on Splunk Search. 06-16-2017 04:47 PM
- Tagged filter stats on two different "where" clauses on Splunk Search. 06-16-2017 04:47 PM
- Tagged filter stats on two different "where" clauses on Splunk Search. 06-16-2017 04:47 PM
- Tagged filter stats on two different "where" clauses on Splunk Search. 06-16-2017 04:47 PM
- Tagged filter stats on two different "where" clauses on Splunk Search. 06-16-2017 04:47 PM
- Posted Can you remove a unit of measurement from a field value? on Splunk Search. 05-01-2016 12:09 AM
- Tagged Can you remove a unit of measurement from a field value? on Splunk Search. 05-01-2016 12:09 AM
- Tagged Can you remove a unit of measurement from a field value? on Splunk Search. 05-01-2016 12:09 AM
- Tagged Can you remove a unit of measurement from a field value? on Splunk Search. 05-01-2016 12:09 AM
- Posted Re: How to edit my search to find the difference of a field from a previous poll, find the per second value, and display it on a timechart over 1 hour? on Splunk Search. 01-10-2016 01:54 PM
- Posted How to edit my search to find the difference of a field from a previous poll, find the per second value, and display it on a timechart over 1 hour? on Splunk Search. 01-10-2016 01:42 PM
- Tagged How to edit my search to find the difference of a field from a previous poll, find the per second value, and display it on a timechart over 1 hour? on Splunk Search. 01-10-2016 01:42 PM
- Tagged How to edit my search to find the difference of a field from a previous poll, find the per second value, and display it on a timechart over 1 hour? on Splunk Search. 01-10-2016 01:42 PM
- Tagged How to edit my search to find the difference of a field from a previous poll, find the per second value, and display it on a timechart over 1 hour? on Splunk Search. 01-10-2016 01:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-17-2017
08:56 AM
I think that works! I ran it against 2 cases, 1 that should've returned my >3 gateways and one that should not have and it worked as expected 🙂 Thank you so much!!
... View more
06-17-2017
08:51 AM
The gateways are named, not numbered - so I need to dc(count) them by core node first in order to get a count I can filter on.
... View more
06-17-2017
05:04 AM
Well, I used join because I get staggered table results when I use append search. If I use neither, and simply combine my stats clauses [|stats count as retries, dc(gateway) as gateways by CN | where gateways>3 AND retries>100], the search only picks up the retries limit and not the gateway count.
index=x, host=y sourcetype=z for both searches, no different.
As for sample data, here are the results when I try to run this...
Not what I want (triggered for number of retries, but not for number of gateways)
gateway gateways corenode retries
hys 4 DEN 1878
This is what I want: more than 3 gateways crossed the 100 retries limit.
gateway gateways corenode retries
den 4 SLC 108
rks 4 SLC 303
rno 4 SLC 1335
sgu 4 SLC 6180
... View more
06-16-2017
04:47 PM
Bonus points to the folks who can help me.
I'm trying to first filter (stats count) results above a threshold of 100 -AND- of those results, I need there to be more than 3 in order to be considered a problem. So far my search is showing me 1 result, when I want it to show me "no results" if there aren't more than 3.
There are 4 or more "gateways" per "core node". I want to know which "core node" has 4 or more of it's "gateways" over the "retries" message threshold.
index= host= sourcetype=
|stats count as retries by gateway corenode
| join [search index= host= sourcetype=
| stats dc(gateway) as gateways by corenode]
| where gateways>3 AND retries>100
| table gateway gateways corenode retries
... View more
05-01-2016
12:09 AM
I'm trying to calculate man hours, but my field format is "12 Mins" not simply "12". How can I either calculate this numeric value with the unit attached, or remove the unit "Mins" and calculate the total that way?
... View more
01-10-2016
01:54 PM
I may have gotten this to work using...
|sort + _time| delta ErrCount as difference | timechart span=5m per_second(difference) by xyz useother=f usenull=f
I'll follow up later if this has answered my own question.
... View more
01-10-2016
01:42 PM
I've scoured the Docs and Answers and haven't had any luck modifying their solutions to fit mine including streamstats and range. So here goes...
I'm using Splunk ver 6.2.0.
There is a script that runs every 5 min and returns several "fields". One such field increments errors, which I want to plot the DELTA of the previous poll as "errors per second" over the span of 1hr or more.
So I need it to take the difference of the previous poll, derive the per second value, then display it plotted over 1hr. Eventually, I would like to alert on those whose Delta crosses a threshold.
I've changed the search a million times, but this search string plotted both Errors AND the Difference. The difference value is so low that the Errors overpower it. I'm only interested in plotting the Difference, not the Errors, per se.
source=mysource location=place1 car_Id=72 md_Id=61 | search "ErrCount" | timechart span=5m median(ErrCount) as Errors | delta Errors as difference
... View more
11-07-2015
05:12 AM
I'm trying to do a similar thing comparing current day values to yesterdays, as an overlay for visualization. Here's what I found (but you can modify the earliest/latest times and the "new time" to reflect whatever timeframe you wish. (found here http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/)
index=whatever sourcetype=whatever "Packetspersecond" sceInfoId=17 OR sceInfoId=18 earliest=-0d@d latest=now | eval ShaperData="today" | append [search index=nethlth sourcetype="nethlth_SceProcessorData" Packetspersecond sceInfoId=17 OR sceInfoId=18 earliest=-1d@d latest=-0d@d | eval ShaperData="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time),new_time,_time) | timechart median(packetsPerSecond) span=15m by ShaperData
... View more
10-16-2015
07:36 AM
I hate it when simple things get the best of me. (Happens more than I like to admit)
Thanks for the help, fellas! The fix: I was missing the pipe in front of the 'where'. It works as | stats count as logins by | where logins > 250
So easy a caveman could do it. . . lucky for me!
... View more
10-15-2015
08:08 PM
Sorry for the newb question, but I'm trying to alert based on "results" greater than a threshold of say 350 for a particular field. The field is not a numerical value field, so I can't simply use the > sign in the search string. When I tell it <search string> | chart count by <field> WHERE <field> > 350 , it doesn't work and still returns results with higher and lower counts as if my instructions weren't even there.
Here's my search, if needed: index=blah sourcetype=blah "logged in" | stats count by location
returns:
location count
abq 434
ama 376
anc 260
boi 393
I only want to see results of locations with a "logged in" count greater than 350.
... View more
