About jonzatlmi

jonzatlmi · ‎06-16-2021

| metasearch index="l-hhvm" OR index="l-nginx" | timechart count as event span=1month by index | eventstats max(event) as event_count by _time index I want to get a time based understanding of when these indices have event data, over all time. But, there is way too many events to count all the way up to the total per month. I would be happy to just count to 10000 and move on to the next month. Ideally, count for each month, for each index, up to 10000 (to represent significant data present) all time (could be up to two years). Sampling won't work becuase there are too many events, it would still take too much time. what i'm currently getting, would be good to keep this formatting

jonzatlmi · ‎10-03-2020

Thank you for that, complex enough to dig into, and straightforward enough to figure out. Is it right to gleam that MV is mostly a world where you're working with single events, not one where you're combining fields from separate events? In your example we are being playful with the `dates` field that we created, putting it through MV and splitting it and reassembling it in various ways. But this is a per event result, that's what makes me thing it's not something to go across multiple events. Thanks again, very much!

jonzatlmi · ‎09-29-2020

To me, it feels like a non-direct way of getting the desired result because I couldn't specifically say that I want the results of these fields to be combined into a multivalue styleconcatenation. I was hoping to learn something (which I did from your reply, thank you very much) that I could use to understand multivalue fields better. But in the end, these are the exact results I think I'm looking for so I will pick my battles, particular the ones where I succeed I guess. Thanks again!

jonzatlmi · ‎09-29-2020

In events that we extract CID and JID from, I would like to have an output of all JID that interacted with multiple CID JID is a job ID CID is a customer ID I want to know where the same job interacted with more than one customer, and would like to output it in a MV field. I achieve roughly what I want with this: index="index-34" host="jobserver12-*" "Concurrent:" cmd="invite" | eval _raw=log | rex (cid:\s(?<cid>\d+)\s) | rex (jid:\s(?<jid>\d+)\s) | stats count values(cid) by jid But I want to know how to do this directly, I tried with mvcombine but it looks like the fields have to have the exact same values. Both JID and CID vary. Thanks!

jonzatlmi · ‎04-08-2020

thank you!

jonzatlmi · ‎04-08-2020

/answers/204549 - so this is something completely different then, rewriting host field in this example question?

jonzatlmi · ‎04-08-2020

so then the next best is a a tight search that pipes into delete command it would seem. Do you think there are alternatives? I was curious if props or transforms would show up as a suggestion.

jonzatlmi · ‎04-08-2020

If there were a field that one wanted to overwrite, say it was an API token for example, and it had already been logged in Splunk. Deleting may not be an option, how about overwriting that field with something like 'xxx'? Thanks in advance!

Posts	8
Solutions	0
Karma Given	6
Karma Received	0
Member Since	‎04-08-2020

Online Status	Offline
Date Last Visited	‎06-17-2021 12:39 AM

Time chart events per index per month but only fir...

make multivalue field from job ID matching multipl...

How can you rewrite log data to overwrite sensitiv...

Time chart events per index per month but only fir...

Re: make multivalue field from job ID matching mul...

Re: make multivalue field from job ID matching mul...

make multivalue field from job ID matching multipl...

Re: How can you rewrite log data to overwrite sens...

Re: How can you rewrite log data to overwrite sens...

Re: How can you rewrite log data to overwrite sens...

How can you rewrite log data to overwrite sensitiv...