Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About gcescatto
gcescatto
New Member
Member since:
08-15-2017
06-05-2020
Community Statistics
| Posts | 24 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 08-15-2017 |
Activity Feed
- Posted Re: How do you build a chart from two date fields? on Getting Data In. 10-22-2018 09:53 AM
- Posted How do you build a chart from two date fields? on Getting Data In. 10-22-2018 04:37 AM
- Posted Can you help me use the rex command to parse API's JSON? on Splunk Search. 10-02-2018 06:41 PM
- Tagged Can you help me use the rex command to parse API's JSON? on Splunk Search. 10-02-2018 06:41 PM
- Tagged Can you help me use the rex command to parse API's JSON? on Splunk Search. 10-02-2018 06:41 PM
- Posted Edit legend from Choropleth map chart on Dashboards & Visualizations. 06-21-2018 12:43 PM
- Posted Re: How to make the chart legend static? on Splunk Search. 04-23-2018 06:24 AM
- Posted How to make the chart legend static? on Splunk Search. 04-20-2018 07:12 AM
- Posted How to create a cascade dropdown? on Dashboards & Visualizations. 04-02-2018 06:02 AM
- Tagged How to create a cascade dropdown? on Dashboards & Visualizations. 04-02-2018 06:02 AM
- Tagged How to create a cascade dropdown? on Dashboards & Visualizations. 04-02-2018 06:02 AM
- Posted How can I remove numbers from Y-axis? on Splunk Search. 11-21-2017 09:10 AM
- Tagged How can I remove numbers from Y-axis? on Splunk Search. 11-21-2017 09:10 AM
- Posted Re: How can I define a total amount of a Pie Chart? on Splunk Search. 11-07-2017 04:29 AM
- Posted How can I define a total amount of a Pie Chart? on Splunk Search. 11-06-2017 09:24 AM
- Tagged How can I define a total amount of a Pie Chart? on Splunk Search. 11-06-2017 09:24 AM
- Tagged How can I define a total amount of a Pie Chart? on Splunk Search. 11-06-2017 09:24 AM
- Tagged How can I define a total amount of a Pie Chart? on Splunk Search. 11-06-2017 09:24 AM
- Posted Re: How can I subtract three values from Json? on Splunk Search. 11-04-2017 05:16 AM
- Posted How can I subtract three values from Json? on Splunk Search. 11-03-2017 06:21 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-22-2018
09:53 AM
Hi richgalloway (:
I did try using the updated query you provided me, but I’m still not getting any results for InspectionTime... any other inputs? 🙂
... View more
10-22-2018
04:37 AM
On my current data I have two date fields: CommencementDate and CompletitionDate.
I would like to build a chart where the timestamp would be CompletitionDate - CommencementDate. For that, I created the query below:
| eval InspectionDate=strptime(CompletionDate, “%Y-%m-%dT%H:%M:%S”)-strptime(CommencementDate, “%Y-%m-%dT%H:%M:%S”) |
The date format is: 2015-01-27T06:00:00
Could someone please advise?
... View more
- Tags:
- datetime
- operations
10-02-2018
06:41 PM
I have the following JSON, but I'm not really familiar with Splunk's rex function.
I tried this command without success: | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field
[
{
"Eqpt Class Description": null,
"Eqpt Criticality": "D",
"Eqpt Criticality Desc": "Non Essential",
"Eqpt Description": null,
"Eqpt Type Description": "Instrumentation",
"Maint Plant Caption": null,
"Maint Plant Filter Code": null,
"Maint Plant ID": null
},
{
"Eqpt Class Description": null,
"Eqpt Criticality": "D",
"Eqpt Criticality Desc": "Non Essential",
"Eqpt Description": null,
"Eqpt Type Description": "Instrumentation",
"Maint Plant Caption": null,
"Maint Plant Filter Code": null,
"Maint Plant ID": null
},
{
"Eqpt Class Description": null,
"Eqpt Criticality": "D",
"Eqpt Criticality Desc": "Non Essential",
"Eqpt Description": null,
"Eqpt Type Description": "Instrumentation",
"Maint Plant Caption": null,
"Maint Plant Filter Code": null,
"Maint Plant ID": null
}
]
For me to be able to build a dashboard with it, I need that to be displayed similar as in:
Could someone please help me to parse this on "}, {"?
... View more
06-21-2018
12:43 PM
Hey guys,
I'm building a Choropleth map chart and I would like to edit the legend values range.
The data that is being inputted on this chart is as this:
{"A" : "1",
"B" : "3",
"C" : "5"}
As you can see in the image below, the legend values doesn't make any sense:
What I would like to have, is a legend where the values vary as:
Red: 1 to 2
Yellow: 2 to 4
Green: 4 to 5
Close to what I got here below, but with different values:
Can someone please help?
Thanks a lot (:
... View more
- Tags:
- choropleth
- legend
04-23-2018
06:24 AM
Hey @woodcock!
It's in SPL:
index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search "ERnE Dashboard" OR "HowUFeeling Survey" OR "TBO Dashboard" group="*" country="*" | eval ServerName=upper(ServerName) | rename mood as "Mood", comment as "Comment", country as "Country" | stats avg(Mood) by Country | geom geo_countries featureIdField="Country" | rename avg(Mood) as "Mood Average"
The XML for the dashboard is:
<dashboard>
<label>Team Happiness</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" searchWhenChanged="true" token="myTime">
<label>SELECT THE TIME RANGE:</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" searchWhenChanged="true" token="myLocation">
<label>SELECT YOUR LOCATION:</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>country</fieldForLabel>
<fieldForValue>country</fieldForValue>
<search>
<query>index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | dedup country | fields country | sort country</query>
</search>
</input>
<input type="dropdown" searchWhenChanged="true" token="myTeam">
<label>SELECT YOUR TEAM:</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>group</fieldForLabel>
<fieldForValue>group</fieldForValue>
<search>
<query>index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search country=$myLocation|s$ | dedup group | fields group | sort group</query>
</search>
</input>
</fieldset>
<row>
<panel>
<map>
<search>
<query>index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search "ERnE Dashboard" OR "HowUFeeling Survey" OR "TBO Dashboard" group="*" country="*" | eval ServerName=upper(ServerName) | rename mood as "Mood", comment as "Comment", country as "Country" | stats avg(Mood) by Country | geom geo_countries featureIdField="Country" | rename avg(Mood) as "Mood Average"</query>
<earliest>$myTime.earliest$</earliest>
<latest>$myTime.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="mapping.type">choropleth</option>
</map>
</panel>
</row>
</dashboard>
... View more
04-20-2018
07:12 AM
Hey Splunk experts,
Please see if you can help me on this:
I created a choroplet map chart and it is receiving the following 3 values: 1, 3 and 5 (1 means a sad face | 3 means an OK face | 5 means a happy face).
Chart is working fine, but the legend keeps changing it's interval every new data received. Is it possible to keep the legend static?
As:
1 - 2.5: (sad face)
2.6 - 3.5: (OK face)
3.6 - 5: (happy face)
Is it possible?
... View more
04-02-2018
06:02 AM
Hey all,
I'm kind of new in Splunk and I would like some help on building a dashboard with a cascade dropdown. I have a script running fro different application and the idea is: once you select one of the applications (on a dropdown), it populates another dropdown with the corresponding servers (see image below).
On my Json I have a field that contains Application Name, another contains Script name and the other Server Name.
Even though I created a token ($myApp$) on my query ( | search ScriptName AppName="$myApp$"), when configuring the dropdown it didn't recognized it.
Could some one please help?
Thanks in advance.
... View more
11-21-2017
09:10 AM
Hi!
I'm having trouble removing the values 0.5, 1 and 1.5 from the Y-axis in the following dashboard:
But I need it to be displayed this way:
Could anyone please help me figure this out?
... View more
11-07-2017
04:29 AM
WOOOOOOOW!
Thank you so much!
I can definitely work with this!
Learned a lot (:
... View more
11-06-2017
09:24 AM
Hi!
I need to create a pie chart where the full pie is 1000000 and the "usage" is a count number.
It should look like this:
I have Json data like this:
{
Name: ApplicationX
NumberOfUsers: 70
Version: 2013
}
And I'm using the following Splunk query:
MY QUERY | eval Total=1000000 | chart count(NumberOfUsers) by Total
Could someone please help me?
... View more
11-04-2017
05:16 AM
I've already tried it. I'm using the following query:
eval License=(Registered - Disconnected - Dropped) | chart max(LicenseNum) by DateTime, License
But I keep getting as result just "Registered - Disconnected"
... View more
11-03-2017
06:21 PM
Hi!
I have a Json like this:
{"LicenseNum":62,
"Status":"Registered"}
and the Status can differ from three types: Registered, Disconnected and Dropped.
Based on this chart, I need to build a new one with the following mathematical equation: number of Registered - number of Disconnected - number of Dropped.
Could somebody please help me?
I've already tried to use the stats and eval function, but I probably did something really wrong.
Thank you in advance (:
... View more
- Tags:
- chart
- json
- subtraction
10-20-2017
05:17 AM
I'm using only the only application, not the downloaded one. Is it possible still?
... View more
08-22-2017
08:37 AM
That worked perfectly! Thank you so much. I got the idea. Reducing redundancy makes the search way cleaner and way quicker.
... View more
08-22-2017
08:27 AM
I did, but nothing changed...
... View more
08-22-2017
06:55 AM
I have the following query:
index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search ACT | eval DateTime=_time | convert timeformat="%x" ctime(DateTime) | bucket DateTime span=1d | rename "IDM Access" as "IDM_Access", "FACTS Database Access" as "FACTS_Database_Access" | table IDM_Access | chart var(Field="IDM_Access") as Fields count(eval(IDM_Access=="False")) as False count(eval(IDM_Access=="True")) as True | append [search index=msahc sourcetype=msahc_raw | rex "(?<json_field>{[^}]+})" | mvexpand json_field | spath input=json_field | search ACT | eval DateTime=_time | convert timeformat="%x" ctime(DateTime) | bucket DateTime span=1d | rename "IDM Access" as "IDM_Access", "FACTS Database Access" as "FACTS_Database_Access" | table FACTS_Database_Access | chart var(Field="FACTS_Database_Access") as Fields count(eval(FACTS_Database_Access=="False")) as False count(eval(FACTS_Database_Access=="True")) as True]
That generates the following bar chart:
How can I get the bar chart to display the name of the "Fields", such as IDM_Access and FACTS_Database_Access?
... View more
08-21-2017
06:41 AM
Could you please help me change places "Field" and "True"?
The table is correct, but the chart needs to be with "Field" at the X axis and "True" and "False" like colors. Sorry to bother, I'm new in Splunk.
... View more
08-21-2017
04:48 AM
The colors that should be only "True", "False" or "Missing" are displaying "True" and "Field". I'm trying to fix this. But the table displayed seems correct. Thank you (:
... View more
08-18-2017
04:20 PM
The values are "True" and "False". It comes from PowerShell scripts that store data in the database. So, my application is a dbconnect application.
... View more
08-16-2017
06:46 AM
How can I select the JSON properties and display them on a bar chart? Not their value, but their name. I need to build a bar chart similar to this one above, where the X axis is the different NAMES of JSON properties, the Y axis is the COUNT of each JSON propertie's values (there are three options: true, false and missing) and the colors must be the JSON properties values.
The json I have is:
JsonData="{
"Uniformance_Oracle_Access":"True"
"FACTS_Access":"True"
"Oracle_GG":"False"}"
So far I was just able to display the values in the colors and do a Y-axis correctly, but the X-axis has been a real problem.
... View more
08-16-2017
04:43 AM
I need each of the fields to be a column in the chart:
index=msahc | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field | search ACT | eval DateTime=_time | convert timeformat="%x" ctime(DateTime) | bucket DateTime span=1d | rename "Uniformance Oracle Access" as "Uniformance_Oracle_Access", "Uniformance Access" as "Uniformance_Access", "FACTS Access" as "FACTS_Access", "Oracle GG" as "Oracle_GG", "IDM Access" as "IDM_Access", "FACTS Database Access" as "FACTS_Database_Access", "FACTS Lan Folder Access" as "FACTS_Lan_Folder_Access" | table ServerName, Uniformance_Oracle_Access, Uniformance_Access, FACTS_Access, Oracle_GG, IDM_Access, FACTS_Database_Access, FACTS_Lan_Folder_Access
... View more
08-16-2017
04:41 AM
The stack mode is not the problem... The main problem is how to display Json fields in the X axis, the count of each of them in the Y axis (how many "FACTS Access" are true, for example) and the colors should be the values of each of them.
... View more
08-15-2017
01:42 PM
I have many Json that contains multiple fields such as:
{"FACTS Access":"True",
"FACTS Database Access":"True",
"Uniformance Oracle Access":"True",
"FACTS Lan Folder Access":"False",
"Uniformance Access":"True"}
Each of these fields support "TRUE"/"FALSE"/"MISSING" values.
What I need to do is create a dashboard as the one displayed above where the X axis is composed by Json fields and the Y axis is the count of each of the results these fields support.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
