Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About lindonmorris
lindonmorris
Explorer
Member since:
05-20-2020
07-24-2023
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 05-20-2020 |
Activity Feed
- Posted Re: Sort by alternative column on Dashboards & Visualizations. 07-24-2023 09:57 PM
- Karma Re: Sort by alternative column for cklunck. 07-24-2023 09:54 PM
- Karma Re: Sort by alternative column for yeahnah. 07-24-2023 08:02 PM
- Karma Re: Sort by alternative column for yeahnah. 07-24-2023 08:02 PM
- Posted Re: Sort by alternative column on Dashboards & Visualizations. 07-24-2023 08:01 PM
- Posted Re: Sort by alternative column on Dashboards & Visualizations. 07-24-2023 07:40 PM
- Tagged Re: Sort by alternative column on Dashboards & Visualizations. 07-24-2023 07:40 PM
- Posted Sort by alternative column on Dashboards & Visualizations. 07-24-2023 05:20 PM
- Tagged Sort by alternative column on Dashboards & Visualizations. 07-24-2023 05:20 PM
- Tagged Sort by alternative column on Dashboards & Visualizations. 07-24-2023 05:20 PM
- Tagged Sort by alternative column on Dashboards & Visualizations. 07-24-2023 05:20 PM
- Tagged Sort by alternative column on Dashboards & Visualizations. 07-24-2023 05:20 PM
- Posted Re: How to add dark theme compatibility to custom app? on Splunk Search. 05-29-2023 11:27 PM
- Got Karma for Lookup filtering performance on very large lookups. 02-09-2023 04:50 PM
- Posted Lookup filtering performance on very large lookups on Splunk Search. 02-09-2023 02:44 PM
- Tagged Lookup filtering performance on very large lookups on Splunk Search. 02-09-2023 02:44 PM
- Tagged Lookup filtering performance on very large lookups on Splunk Search. 02-09-2023 02:44 PM
- Tagged Lookup filtering performance on very large lookups on Splunk Search. 02-09-2023 02:44 PM
- Tagged Lookup filtering performance on very large lookups on Splunk Search. 02-09-2023 02:44 PM
- Tagged Lookup filtering performance on very large lookups on Splunk Search. 02-09-2023 02:44 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
07-24-2023
09:57 PM
That's perfect, thanks @cklunck . I had actually originally started using fieldformat, but for some reason switched to using eval (same/similar printf statements). I didn't understand that it doesn't affect the underlying data, just the display of - So the sort works perfectly. Many thanks 🙂
... View more
07-24-2023
08:01 PM
Thanks @yeahnah , while my example would kinda work in that case, the numbers will be significantly different (varying from Bytes to Petabytes) so the dynamic unit is a necessity for readability.
... View more
07-24-2023
07:40 PM
Thanks @yeahnah , that lets me hide the column, but rather than being able to control the drilldown, i'd like to control the sort behaviour
... View more
- Tags:
- thanks
07-24-2023
05:20 PM
I have the following query displaying as a table in a classic dashboard: | makeresults format=json data="[{\"item\":\"disk1\", \"size\":2147483648, \"size_pretty\":\"2 GB\"}, {\"item\":\"disk2\", \"size\":1099511627776, \"size_pretty\":\"1 TB\"}]"
| table item size size_pretty Now when you sort by "size" the table works as expected (2GB is smaller than 1TB). When you sort by "size_pretty" though, it of course will think that "1 TB" is first in order, followed by "2 GB" (lexicographic sort order). What I would like however (purely about user experience) is to 1) Hide the "size" column as it will be pretty horrible to read 2) When the user clicks the "size_pretty" column to sort the table, I want it to actually sort by "size" (up or down) - Even though that column is not visible to the user, meaning the output (sorted smallest to largest) would look like: item size_pretty disk 1 2 GB disk 2 1 TB Is there any way to achieve this? Note that I am on Splunk Cloud, so I do not have access to the file system. (if it can be done on a dynamic dashboard instead, i'd consider that) Bonus points if I can also apply column formatting with a colour scale as you would on a normal table
... View more
Labels
- Labels:
-
dashboard
05-29-2023
11:27 PM
I have the same question and I can see all of the replies are referring to Splunk WEB not Splunk CLOUD. From what I can tell, the only option is to do this by deploying your private app (requires Victoria Experience) https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/ To clarify for all of the other responders; - This is Splunk Cloud - We have no access to the app.conf of any app - We have no access to the file structure on the Search Head - We can only use the UI and REST apis (ACS)
... View more
02-09-2023
02:44 PM
1 Karma
This is not a question, rather I am sharing something that I discovered with a Splunk OnDemand support call.
I thought I was a bit of a Splunk pro, but just goes to show there's always something to learn and this one was so simple it's a little embarrassing 😳
Imagine you have a very large lookup with 5 million+ rows (in my case a KV store, containing an extract from Maxmind DB with some other internal references added).
If you want to do a CIDR match on this, you set up a lookup definition with Match Type "CIDR(network)". Now run your query (IP address obfuscated in example)
| makeresults
| eval ip4 = "127.0.0.1"
| lookup maxmind network AS ip4
For me on Splunk Cloud, this takes around 50 seconds, and I contacted Splunk Support for some assistance in making this viable (50 seconds just way too high).
I already understood that the issue is that the cidrmatch has to run on every single row - I added a pre filter to my lookup definition and proved that with the pre filter it ran much much faster, but obviously that limited it's use to just the filtered rows.
I tried messing around with inputlookup, but couldn't get it any better
| inputlookup maxmind
| where country_name="Japan" city_name="Osaka"
This still took the same ~50 seconds to run
Of course if I had of read the documentation properly, I would have seen that "where" is actually an argument of the inputlookup clause. Changing this to:
| inputlookup maxmind where country_name="Japan" city_name="Osaka"
Made all the difference - this now runs in 5-7 seconds as the WHERE clause is now running the same as if you had added the pre-filter to the lookup definition.
To use this in a search to enrich other data, you can use:
| makeresults
| eval ip4 = "127.0.0.1"
| appendcols
[| inputlookup maxmind where country_name="Japan" city_name="Osaka"]
| where cidrmatch(network, ip4)
Obviously, the tighter you can get your WHERE clause the faster this runs - you can also use accelerated fields in your lookup (if using KV store) to further enhance, this will depend entirely on your data and how you can filter it down to the smallest possible data set before continuing.
For me, using the same 5 million row KV store and maxmind data as my example
| makeresults
| eval ip4 = "127.0.0.1"
| appendcols
[| inputlookup maxmind where country_name="Japan" city_name="Osaka" postal_code="541-0051" network_cidr="127.0.*"]
| where cidrmatch(network, ip4)
runs in ~0.179 seconds [using actual IP address, not the fake one above]. Your mileage may vary, but I hope this helps someone else trying to figure this out.
I haven't tried the same with a CSV lookup, but I imagine it would be very similar.
... View more
Labels
- Labels:
-
lookup
01-29-2023
04:34 PM
I don't know if this works for artifacts, but you can reference a list index in the data path. Using the function "string_split" string_split:custom_function_result.data.*.item < All items string_split:custom_function_result.data.0.item < Item 0
... View more
06-08-2022
10:42 PM
I found this post looking for how to get HTML into an alert email, I realise it's an old question but in case it helps anyone: The SPL: | makeresults | eval rexfield="Member: something else: abcde12345 \myaccountname" | rex field=rexfield "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)" Translates to XML: <query> | makeresults | eval rexfield="Member: something else: abcde12345 \myaccountname" | rex field=rexfield "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)" </query>
... View more
10-27-2020
07:42 PM
Just wondering if you ever worked out the best solution for this? I have the exact same requirement
... View more
05-20-2020
04:38 PM
With multiple admins in our Splunk Cloud, we'd like to see any changes made that have a global or app wide impact.
Example: I just deleted a field alias (was: cs_User_Agent_ == http_user_agent).
Searching _audit and _internal for either of those terms, the only results I can find is searches - I can't actually find the event where it was deleted.
... View more
Labels
- Labels:
-
search head
