×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
momoXD
Explorer
Member since: ‎07-04-2017
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎07-04-2017
Activity Feed
View All

Re: Time Token Parsing to unix epoch

by in Dashboards & Visualizations
‎11-30-2017 12:46 AM
‎11-30-2017 12:46 AM
That is totally clear. So let me rephrase my question why did somesoni2 rename one token to "preset_earliest" which is a synonym for "predefined" and didn't stick with the more meaningful name "present_earliest" where "present" means a point in time. Did he just forget an "n" or is there more to it? ... View more

Re: Time Token Parsing to unix epoch

by in Dashboards & Visualizations
‎11-29-2017 10:55 PM
‎11-29-2017 10:55 PM
there's a typo in line 20 it say "preset_earliest" but I assume you mean "present_earliest". If this is not a typo please give reasons for changing my naming convention. ... View more

Time Token Parsing to unix epoch

by in Dashboards & Visualizations
‎11-29-2017 04:35 AM
‎11-29-2017 04:35 AM
I am building a dashboard where I want to overlay data from user choosen time period with another user choosen time period. For example yesterday's average transaction duration compared to today's average transaction duration. As an orientation I use the Splunk Book( https://www.splunk.com/goto/book) chapter "Charting Week Over Week Results" (pages 85ff.). So I created a dashboard with two time picker named past and present so the four tokens are accessible using statements like "$past.earliest$". However my code only works if the time tokens are set to a relative value like "1d@d" or "now" and don't work if a user uses a concrete point time (which means a unix-epoch time). Here is my current search: index=some_index some_field="someValue" earliest=$past.earliest$ latest=$present.latest$ | eval dur_sec=duration/1000000 | eval marker = if ( (_time > relative_time(now(), "$past.earliest$") and _time < relative_time(now(),"$past.latest$")), "past", "today") | eval _time = if (marker=="past", _time + relative_time(now(),"$present.earliest$")-relative_time(now(),"$past.earliest$"), _time) | timechart span=30min max(dur_sec) by marker | trendline sma5("past") as trend_last_week | eval upperBound=if( isnotnull(trend_last_week), 'trend_last_week'*1.5,'past'*1.5),lowerBound=0 | eval isOutlier=if('today'>upperBound or 'today'<lowerBound,1,0)| where _time >= relative_time(now(),"$present.earliest$")| fields _time,"today",lowerBound,upperBound,isOutlier,* As explained above this only works for relative time spans like "-1d@d" and "now". In simpler words this solution is not flexible enough. I also suspect that there might be an error in the line were I am recalculating the "_time" values, but I'm not sure yet. Because of these problems, I thought about converting all values from my tokens to Unix Epoch Times with the following code: | eval past_earliest=if(isnum(tonumber("$past.earliest$",10)),"$past.earliest$",relative_time(now(),"$past.earliest$")) | eval past_latest=if(isnum(tonumber("$past.latest$",10)),"$past.latest$",relative_time(now(),"$past.latest$")) | eval present_earliest=if(isnum(tonumber("$present.earliest$",10)),"$present.earliest$",relative_time(now(),"$present.earliest$")) | eval present_latest=if(isnum(tonumber("$present.latest$",10)),"$present.latest$",relative_time(now(),"$present.latest$")) This does not work if one of the tokens contains a non-numeric value. In this case the whole search can't be run. But I guess this code can be fixed but I don't know how. Maybe somehow can help me complete this workaround or even has an idea fro improvement of the original search. Any help is appreciated. ... View more

Lookups not working; Fields with confusing Data

by in All Apps and Add-ons
‎07-04-2017 12:04 AM
‎07-04-2017 12:04 AM
Hey everyone, I've got a problem concerning the "Generate Pages" and "Generate Sessions" Lookups. They both don't create any results. When searching for '* tag=web eventtype="pageview" ' in the context of the app, there are several thousand log entries per Minute available. So no Data is obviously not the reason of the problem. However, if one has a closer look, one can see that several fields contain wrong fields (see the incomplete list below): user_agent field contains cookie data cookie field sometimes contains ip-adresses This leads to the impression that the "Splunk Web App for Analytics" can't deal with the log type we are using. To confirm that impression we imported a small extract of the logs to a standalone instance and all of a sudden it works. So my impression is that some configuration on the "big productive" Splunk instance is interfering with the app. Is that possible? I am guessing that the App's extractions and our custom build instruction somehow disrupt each other. Might that be or is there a different setting that is likely to cause the problem? As a reference I added one log entry below. 192.168.0.1 - - [04/Jul/2017:08:18:04 +0200] "GET /fakeTest/javax.faces.resource/richfaces.js.xhtml?_=1499178984898 HTTP/1.1" 200 24580 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "JSESSIONID=LIATgPTq8jvzhbUZQqxhusWL.Xrs51_1; prodXrs=rd1o00000000000000000000ffff8b195a56o5100; [.. a lot more of Cookie Data];" "192.168.0.1" "-" "my.domain.com" "-" "https://my.domain.com/my/referrerpage/index.xhtml ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to
View All