Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About wmyersas
wmyersas
Builder
Member since:
06-29-2017
05-09-2023
Community Statistics
| Posts | 170 |
| Solutions | 13 |
| Karma Given | 318 |
| Karma Received | 24 |
| Member Since | 06-29-2017 |
Activity Feed
- Got Karma for Re: How to replace the special characters with Space in text field in Dashboard. 03-17-2022 06:52 AM
- Got Karma for Re: subsearch join. 07-15-2021 10:57 PM
- Posted Re: Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search He on Splunk Search. 12-02-2020 10:35 AM
- Posted Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads? on Splunk Search. 12-01-2020 07:05 AM
- Tagged Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads? on Splunk Search. 12-01-2020 07:05 AM
- Tagged Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads? on Splunk Search. 12-01-2020 07:05 AM
- Tagged Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads? on Splunk Search. 12-01-2020 07:05 AM
- Tagged Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads? on Splunk Search. 12-01-2020 07:05 AM
- Tagged Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads? on Splunk Search. 12-01-2020 07:05 AM
- Got Karma for Re: multisearch vs append. 11-18-2020 04:23 AM
- Karma Re: Log Parsing is not happening for PaloAlto logs for jbrocks. 06-05-2020 12:51 AM
- Karma Why does the master node, peer nodes, and search head have to be on its own instance? for josegonzalezm. 06-05-2020 12:51 AM
- Karma Re: Why does the master node, peer nodes, and search head have to be on its own instance? for gfreitas. 06-05-2020 12:51 AM
- Karma Re: Why does the master node, peer nodes, and search head have to be on its own instance? for gcusello. 06-05-2020 12:51 AM
- Karma Re: How often should I upgrade Splunk Enterprise? for jmulcaster_splu. 06-05-2020 12:51 AM
- Karma Re: Splunk search basic queries for jpolvino. 06-05-2020 12:51 AM
- Karma Re: How to rename dynamic column name? for gcusello. 06-05-2020 12:51 AM
- Karma Re: need to add 45 days in a field for 493669. 06-05-2020 12:51 AM
- Karma Does Splunk support .GIF files in their dashboard system? for rfahrenbach. 06-05-2020 12:51 AM
- Karma Re: Month to date for previous month with current month date for prakashmca05. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
12-02-2020
10:35 AM
User halr9000 on /r/Splunk cited "Dr Z" (Steve Zhang) as saying these are all run on the initiating Search Head
... View more
12-01-2020
07:05 AM
Like the title says - how are individual searches in a multisearch handled? Are they distributed across any/all available search slots on any/all available Search Heads? Or do they only run on the Search Head that initiates the search? Say you have several Search Heads in a Search Head Cluster. And you have a multisearch like the following: | multisearch
[| search index=ndxA sourcetype=srctpA fieldA=*
| fields fieldA ]
[| search index=ndxB sourcetype=srctpB fieldA=* fieldB=*
| fields fieldA fieldB ]
[| search index=ndxC sourcetype=srctpC fieldB=*
| fields fieldB ]
[| inputlookup MyFancyLookup where myLField1=G*
| fields myLField1 fieldA fieldB ]
| fillnull value="-" fieldA fieldB myLField1
| stats count by fieldA fieldB myLField1 Will each of the | search or | inputlookup lines run, potentially, on a different Search Head? Or will they all be run from the initiating Search Head?
... View more
Labels
- Labels:
-
search job inspector
06-04-2020
09:59 AM
you're right! put the @ in the wrong spot 🙂
... View more
06-04-2020
06:22 AM
@richgalloway is right - without real sample data, we're not going to be able to help you as well as we could otherwise
We need you to supply sample data
That said, here's a possible guess as to what you're trying to do:
index=ndx sourcetype=srctp logger="blahblah-main.Start" OR logger="blahblah.Exception"
| stats values(message.MessageId) as MessageId values(message.BusinessId) as BusinessId by logger
... View more
06-03-2020
12:39 PM
Use the Universal Forwarder, and ingest the Apache/Nginx logs
... View more
06-03-2020
12:38 PM
I'd wager the answer will be "no" - unless you paid for them, they belonged to your employer
... View more
06-01-2020
08:17 AM
1 Karma
Per https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/SearchTimeModifiers, try something like this:
index=ndx sourcetype=srctp earliest=-1mon@mon latest=-30d@d
... View more
04-02-2020
05:59 AM
Can you give some sample data you're trying to correlate?
How do you know LogA and LogB are reporting on "the same" thing?
... View more
04-01-2020
07:10 AM
Use match :
| makeresults
| eval fname="0000blahblah.blah"
| eval filter="0000"
| eval match=if(match(fname,filter),1,0)
| table fname filter match
... View more
03-31-2020
06:19 AM
1 Karma
try | where like(abc,'filter') instead of | search abc='filter'
(I updated my answer, too)
... View more
03-31-2020
06:11 AM
That won't work because you have a colon in the time formatting
And %H gives you the hour with leading 0 in 24hr format (eg 01 vs 13)
but this does:
| eval when=tonumber(ltrim(strftime(now(),"%H%M"),"0"))
( tonumber() may not be required)
... View more
03-30-2020
05:38 AM
"Can the Returned Value From a Case Function be used in a Search"
Sure - so long as it's something in your data: that was why I used the example line of | search abc='filter'
Whatever the case() returns goes in the field name you've given (in my example, it's filter )
You then use single quotes around it when searching, so you get the value of the field, and not the literal text of whatever you've named the field (eg "filter")
... View more
03-26-2020
09:40 AM
Based on you wanting this to Just Work™, take a look at using a case() statement.
Here's a sample with the two ranges done:
| makeresults
| eval h=strftime(_time,"%H"), mr=strftime(_time,"%m")
| eval filter=case((h=16 OR (h=17 AND m<31)),"1",(h=18 OR (h=17 AND m>30)),"2",1=1,"you forgot to fill-in a range")
This breaks down as the following:
if the hour is 16 (4p), or it's 17 (5p) and less than or equal to half-past, return 1
if the hour is 18 (6p), or it's 17 (5p) and after half-past, return 2
the 1=1... segment is the default case: ie, if you missed a range, you'll get the 'error message'
Once you calculate your filter , use it in your sample search thusly:
<search>
| <filter logic using case statement>
| where like(abc,'filter')
<rest of search>
Adjust and extend as desired
edited to change from | search abc='filter' to | where like(abc,'filter')
... View more
03-26-2020
07:42 AM
_time is the timestamp of the event
So unless your sourcetype's events timestamp is in the future, this isn't going to work
What field in the event actually holds the check-in date?
I'd find it very surprising to find out that _time is really the check-in date, and not either when the reservation was made, or when the event goes into Splunk
... View more
03-25-2020
08:42 AM
with a dropdown or set of radio buttons, this would be pretty straightforward
are you wanting the search to "automagic itself", or to have user-selectable options?
... View more
03-23-2020
07:36 AM
What I've done when I want the X th -many/most recent items is the following:
<search>
| eval field_time=_time+"|"+field
| stats values(field_time) as field_time <rest of stats here>
| eval recent_1st=mvindex(field_time,-1), recent_2nd=mvindex(field_time,-2) [, etc etc]
| rex field=recent_1st "(?<when_1st>\d+)\|(?<field_1st>.+)"
| rex field=recent_2nd "(?<when_2nd>\d+)\|(?<field_2nd>.+)"
| ...more rex lines as needed
| table field_1st when_1st field_2nd when_2nd <other fields as desired>
| eval when_1st=strftime(when_1st,"%c"), when_2nd=strftime(when_2nd,"%c) [,etc etc]
Feel free to use different strftime formatting as desired
You have to combine the time into the field so that it sorts the way you want with values()
... View more
03-23-2020
06:09 AM
Please reread my last comment: I didn't "do" anything - running the dbconnect Just Worked™
... View more
03-23-2020
05:34 AM
No, latest does not exist in the subsearch
Remove it thusly: | join client_ip [...]
From the join docs.splunk page:
Field names must match, not just in name but also in case. You cannot join product_id with product_ID. You must first change the case of the field in the subsearch to match the field in the main search.
... View more
03-20-2020
11:50 AM
It's absolutely at least part of your problem
You cannot join on a field that doesn't exist - Splunk looks for matches of all fields in the | join command
If you list one, like latest , that's not in the subsearch, nothing will join
... View more
03-19-2020
01:43 PM
I don't really know what to say here: regardless of how many rows I've imported (and it's been as many a million plus), it's Just Worked™
... View more
03-19-2020
05:57 AM
There's your problem - you have no latest field in your subsearch. You have _time, client_ip, client_name
And I don't know why you're souble-stats'ing in your subsearch, either :
| stats count by _time client_ip client_name
| stats last(client_name) as client_name last(_time) as _time by client_ip
Just do the second stats, but change from last() to latest() , and you should get the same results
... View more
03-17-2020
08:43 AM
Are you hitting the row limitation in the DB COnnect preview screen?
Or when running searches against the data after you import?
I've imported DB tables with upwards of 500,000 entries, no problems (other than it takes a while to complete, of course)
And I've done "nothing special" - just run the query, and let it import
... View more
03-17-2020
08:41 AM
1 Karma
Extend your earliest time by a bit of a "grace period"
We do this with Alerts that run every 30 minutes, but our search includes earliest=-35m , because we know that searches can end up running as much as 250 seconds late vs its scheduled time
... View more
03-17-2020
08:34 AM
You can join on as many fields as you want
But doing it on latest , in your example, is probably not what you really mean - though it may be
What are you actually trying to accomplish?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-09-2023
10:18 AM
|
Karma from
Karma given to
