Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About christoffertoft
christoffertoft
Communicator
Member since:
08-11-2017
03-17-2022
Community Statistics
| Posts | 72 |
| Solutions | 1 |
| Karma Given | 23 |
| Karma Received | 2 |
| Member Since | 08-11-2017 |
Activity Feed
- Posted Re: Setup.xml: Is there a way to get the current session key in custom endpoint? on Splunk Dev. 03-17-2022 08:03 AM
- Karma What is a suggested method for accessing Splunk API via Custom REST Endpoint? for nohc. 03-17-2022 08:00 AM
- Posted How to read session key from stdin on Windows deployments? on Splunk Dev. 03-15-2022 08:35 AM
- Karma Is Async.sleep() available to Javascript for bowesmana. 06-05-2020 12:50 AM
- Karma Re: Inputlookup subsearch to match on field A and output field B in CSV file for gcusello. 06-05-2020 12:49 AM
- Karma Why is it recommended to harden the KV Store? for sjalexander. 06-05-2020 12:49 AM
- Karma Re: stats count zeroes for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Use timepicker earliest and latest as epoch time for rjthibod. 06-05-2020 12:49 AM
- Karma Re: How can I reference a search job in JavaScript? for 493669. 06-05-2020 12:49 AM
- Karma Re: How can I reference a search job in JavaScript? for kamlesh_vaghela. 06-05-2020 12:49 AM
- Karma Re: Dashboard button to run SPL on click for niketn. 06-05-2020 12:49 AM
- Karma Re: lookup several fields in one lookup command for MonkeyK. 06-05-2020 12:49 AM
- Karma Re: lookup several fields in one lookup command for somesoni2. 06-05-2020 12:49 AM
- Karma multiselect table rows for 493669. 06-05-2020 12:49 AM
- Karma Re: Inputlookup subsearch to match on field A and output field B in CSV file for elliotproebstel. 06-05-2020 12:49 AM
- Got Karma for Re: stats count zeroes. 06-05-2020 12:49 AM
- Got Karma for Re: stats count zeroes. 06-05-2020 12:49 AM
- Karma Best practice for dealing with Unicode codepoints in Splunk ? for smichalski. 06-05-2020 12:48 AM
- Karma Re: How can I detect a successful login after multiple failed logins? for woodcock. 06-05-2020 12:47 AM
- Karma Re: Why are my dashboard panels using a base search showing no results, but shows results if opened in search? for chuckers. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-17-2022
08:03 AM
@phoenixdigital what is the "self" object you are referring to here? I'm having issues getting session key in a scripted input running on windows, but it works in linux environments. Best regarss
... View more
03-15-2022
08:35 AM
Hi
Im developing an app that supplies a scripted input to Splunk. When its run (on linux machines), it reads the session key from stdin :
session_key = sys.stdin.readlines()[0]
This does not seem to work for Windows based deployments
Does anyone have an idea of how to do this on windows?
... View more
Labels
- Labels:
-
python
-
scripted input
-
SDK
04-03-2020
02:17 AM
Any success with this? I'm stuck at the same issue
... View more
03-30-2020
06:02 AM
Found any solution to this?
... View more
06-27-2019
05:34 AM
If i do the logic | where NOT 'exclude_me' in (mymvfield) the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.
... View more
06-27-2019
05:32 AM
Hi rich, thanks for reply. I only get Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. when i do | eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )
... View more
06-27-2019
04:47 AM
I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.
I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?
Example:
`
|makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvfilter(NOT in(mymvfield, exclude_me))
`
Doesnt work.
| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield, "b"))
works however. Ive tried $exclude_me$, "$exclude_me$" etc without luck..
I need to be able to exclude a value per row, based on the current value of exclude_me .. There has to be a way for this?
... View more
04-24-2019
06:51 AM
This might work, but to play the devil's advocate here:
Ponder that the list has an IP and host of example.com with ip 192.168.0.1
At some point, that key-value expires (i.e is old), perhaps because the IP has changed. At a later point in time, the ip 192.168.0.2 resolves to example.com , which then should be put in the KV store. At this point, without using timestamps and additional logic, you cant be certain the dedupped hostname (for example) removes the correct entry in the KV-store.
I've had huge problems with the KV-store functionalities, where inputlookup is great in terms of providing data on a row by row basis, making it easy to discern duplicates etc, but has the requirement of being the first command in the pipe. lookup on the other hand can be anywhere in a search, but does not provide a way to separate colliding entries (i.e. the output will be similar to that of doing a | stats values(*) by x
... View more
04-24-2019
04:21 AM
Inputlookup has to be the first command of a search
... View more
04-09-2019
06:25 AM
A follow-up issue of is that I can't really remove IP collisions within the kvstore since there is no way of telling which of the values belong to which key or row or what have you.
... View more
04-09-2019
06:21 AM
Hi @jeffland, thanks for your reply!
first question first - how do you tabulate your code lika that on answers?
Second part - I have a list similar to the one you described, with ip, macs and hostnames, along with timestamps when each of these were added or updated. This is intended to be the representation of a machine.
At any point in time, i need to, for example, look up a hostname, or a mac, or a timestamp for one of these values. If a hostname for example is apparent in several rows, there is no way for me to determine the exact values belonging to that row since all of them are bundled together. mvexpand on the other hand explodes the multi-values into every possible combination. A result which has 5 values in 5 fields will return 5^5 events.
If the events that contained my value i wnated to search for, say host=jeffland would be represented on rows, i wouldnt have this problem.
The only solution right now is to use a combination of the hostname and, say, the updated time for that value, by using two |lookup commands to first single out the host, and subsequently expand every value i need to search for and again use a | lookup filtering for that host and finding the time field i'm looking for.
... View more
04-09-2019
02:07 AM
Thanks, will check back with a current search
... View more
04-08-2019
12:41 PM
@niketnilay it's not necessarily a big KV-store, say around 3-10k entries. It has the use-case requirements of being read/written to constantly however and as such I don't see a csv file as being the right option for me.
Additionally, since the data is time bound in a sense, indexes wouldn't suffice - I'm having a need for CRUD-like interfacing with the data which kv-stores give me. Each row (possibly) has an IP, and an IP may be apparent in several rows.
... View more
04-08-2019
08:02 AM
I have a kv store that has several fields (ip addresses, time stamps etc) tied to a unique key (the default mode) - when I do an inline |lookup kvstore myip as ip , if the ip is apparent in several rows, all the other values become multi-valued. I have no way of telling which of the values in each of the multi-valued fields belong to which key. I'd like the output to be tabulated instead, just as with the inputlookup command, which outputs every row per key.
Is this possible? This seems like a huge flaw. One would expect to be able to get the data tabulated or at least separated in some way, from the database?
... View more
04-04-2019
05:09 AM
I'm working on a kvstore that has multiple interesting columns with which i might determine to enrich an event.
For example, | lookup kvstore a as a
which of course works fine if a exists in the kvstore. However, if this doesn't match to a record,
i'd like to | lookup kvstore b as b if the first one fails, and on and on onto c and d and so on until i find a matching lookup and output that row.
I've tried this by simply putting several lookups after each other as such:
| lookup a as a
| lookup b as b
| lookup c as c
but this breaks, because if a matches I'm happy, i dont need the other lookups, however if a doesn't match, i still need to progress with further lookups..
Does anyone have a solution for this issue?
... View more
02-22-2019
04:58 AM
Hi,
This is basically a question of when automatic lookups are applied to data.
I have a field url i need to sed and then use an automatic lookup to assert whether the sed-ed url is in the list. What are the steps I need to take?
Is it easier to use the | lookup command after the sed pipe?
Ideally i have a search that runs the rex on url and then look for a lookup value that exists in the row for the value of that url in the lookup. If this is found, I know that the automatic lookup matched my rexed field.
... View more
01-14-2019
05:58 AM
sorry, yes it meant to say default/app.conf... My bad
... View more
01-14-2019
04:10 AM
I solved it by setting the id field of the local/app.conf config to the same name as the folder name, as the link constructed by the app setup seems to look at the ID of the app. If that is not the same as the actual folder name, it seems to break.
... View more
01-14-2019
02:16 AM
@lakshman239 thanks for your quick reply!
I've made the app setup myself, e.g. not using a setup.xml or addon builder. I used the Dev-for-all app available on splunkbase for most of the interactions.
Will check splunkd_ui_access.log for it. Restarting/reinstalling does not help unfortunately.
... View more
01-13-2019
11:34 PM
I can't. What about it should i look for?
its very basic;
<dashboard script="javascript/setup_titan.js hideEdit="true">
<label>label</label>
<description>This app helps ...</description>
<row>
<panel>
<title>Description</title>
<html>
</html>
</panel>
</..>
</..>
... View more
01-11-2019
07:52 AM
Can I bump this question? There seems to be no way of telling splunk how to redirect properly.
... View more
11-13-2018
01:58 AM
Define "global" ? Do you want the value to be saved between reboots/visits to other dashboards/apps etc? or just for the duration of the current view?
... View more
11-12-2018
12:13 AM
Note; i made the app so I should have access to whatever is needed
... View more
11-12-2018
12:11 AM
Like the title says.
I have an application that uses a setup view to configure some defaults for the app.
When I install the app, it detects that setup is needed, and prompts to configure the app.
If I press Set up now I get redirected to the following page
However if i go into the Apps page and select Set up from the list of options next to the apps name, I get int othe setup view as expected.
Where do I specify the path for the first one to redirect correctly, i.e, how do I fix this?
Thanks for any help.
... View more
10-24-2018
06:18 AM
Thanks, ended upp doing that and a few other modifications, and it worked. Not sure if the restart was the trick or some other hack, but it works now.
... View more
