About bowesmana

bowesmana

Yes, you can parse/extract in Splunk rex is your friend https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Rex So, it looks like you are trying to look for any rows in your lookup where AccountId has the value "Title" and then pass the Business field from the lookup as a constraint to the index=guardduty. You don't need the first | (pipe) symbol before the subsearch BTW. index=guardduty | [ |inputlookup CostCentersandAWSAccounts.csv | search AccountId=Title | fields Business ] so, if the guardduty data does not have a field called Business, but has something, e.g. BusinessName, then you will have to index=guardduty [ | inputlookup CostCentersandAWSAccounts.csv where AccountId=Title | fields Business | rename Business as BusinessName ] Note the use of 'where AccountId=Title' which pre-filters rather than post-search. If you mean that there is no Business field yet extracted that you want to match against the Business field in the lookup, then you have to do either a or b a. Create a new field extraction or a calculated field that creates a Business field for all indexes you want to match and then you can search like above. b. Do a rex extraction and then do a lookup against the lookup file, e.g. index=guardduty | rex "(?<Business>....regex_to_extract_business...)" | eval AccountId="Title" | lookup CostCentersandAWSAccounts.csv AccountId Business

bowesmana

https://splunkbase.splunk.com/app/2968

bowesmana

It says that SA_CIM_validator cannot be found on the indexers. Is the app installed on them? Some apps need to be deployed on the indexers too, but not sure what else may be relevant or if that's necessary here. Errno 111 = Connection Refused? Can't offer much more I'm afraid.

bowesmana

If you have done spath and have a field following the spath called Record, then the rex should work, but if you don't have a field called Record because that field is not extracted, then it won't. Your rex is looking at the entire _raw field.

bowesmana

Sorry, my bad - you're absolutely right, instead of duration_days, use duration, so you carry duration through and then calculate days after the stats. | stats max(Estimated_End_Time) as Estimated_End_Time max(duration) as duration by host SN Start_Date Start_Time | eval Estimated_Installed_Days = round(duration/86400,2) | eval Estimated_Installed_Time =tostring(Estimated_Installed_Days,"duration")

bowesmana

Not sure about dashboard studio, but a checkbox value is a multivalue field, so if you want to set more than one value to the token it, at least in XML, would need to have a multivalue result. e.g. in XML if your two values are 1 and 2, then this <eval token="form.check">split("1,2",",")</eval> will set the input form token "check" to an MV field containing 1 and 2 in the XML case, will turn on both checkboxes.

bowesmana

@PickleRick Yes, fieldformat has its uses, but I'm not a fan given its somewhat confusing behaviour, e.g. | makeresults | fields - _time | eval n=now() | fieldformat a=strftime(n, "%F %T") | fieldformat n=strftime(n, "%F %T") | eval a_max=max(a,1) | eval n_max=max(n,1) | eval a_type=if(isnum(a),1,0) | eval n_type=if(isnum(n),1,0) so the a assignment works but is not really a field and is not a number and if you transpose that, field a does not get included in the transposed results. It also does not work in foreach [] statements oddly.

bowesmana

Sorry - correct rex here | rex field=Record "[^\]]*\]:\s+Compliance Failure='(?<DESCRIPTION>[^']*).*\[(?<DISANUM>\w+)" It assumes the description is surrounded by single quote characters

bowesmana

@power12 Thanks for posting the search - the reason you are getting 99+ as your max is this | eval Estimated_Installed_Time =tostring(duration,"duration") ... | stats ... max(Estimated_Installed_Time) as Estimated_Installed_Time You are converting the duration to a string then doing max() on the string value, not the number, so 99 is greater then 100 (9 is higher alphabetically than 1. Your search should | stats max(Estimated_End_Time) as Estimated_End_Time max(duration_days) as Estimated_Installed_Days by host SN Start_Date Start_Time | eval Estimated_Installed_Days = round(Estimated_Installed_Days/86400,2) | eval Estimated_Installed_Time =tostring(Estimated_Installed_Days,"duration") i.e. Move the round to after the stats, you only need to round the final figure Move the tostring to the end - you already have max(duration_days) in your stats, which is the number you want Remove the table command - it serves no purpose as it's immediately followed by stats

bowesmana

Every event ingested into Splunk is given a _time value calculated from a method you have control over. This is how you search for events - always based on _time If your SUBMITDATE field value is what SHOULD be the value used for _time, then you will need to configure your ingestion so that it picks up that field instead of where it is currently getting _time from. Otherwise you need to search for a wide enough time range in the time picker to be 100% sure of catching all the SUBMITDATE values you want.

bowesmana

I've not seen a specific venn diagram visualisation, but depending on exactly what you are trying to show, you can probably achieve something effective enough using the @chrisyounger Circlepack visualisation https://apps.splunk.com/app/4574/ I don't believe it does overlapping circles, but it may get you close enough

bowesmana

Please post your duration field calculation

bowesmana

Can you post your full search

bowesmana

In general, if it's a new question requiring a new answer, please ask it in a new question rather than using an already answered question, so others can help out If your JSON is already auto extracted then do only the rex statement, otherwise use spath to extract the JSON from the raw event | spath | rex field=Record "[^\]]*\]: (?<DESCRIPTION>[^=]*).*\[(?<DISANUM>\w+)"

bowesmana

Then it's this setting in the input <allowCustomValues>true</allowCustomValues>

bowesmana

You can have a single daily packet report which is given a search id and then in the weekly/monthly/yearly you can just reference the daily report and post process calculate the appropriate periods with whatever aggregation you need. Let's assume your daily packets search looks like this my_packet_search | timechart span=1d count then your dashboard would look like this <dashboard> <label>Packets</label> <row> <panel> <title>Daily</title> <chart> <search ref="Packets Daily" id="daily_report"></search> <option name="charting.drilldown">none</option> </chart> </panel> </row> <row> <panel> <title>Weekly</title> <chart> <search id="weekly_report" base="daily_report"> <query> | timechart span=1w sum(*) as * </query> </search> <option name="charting.drilldown">none</option> </chart> </panel> </row> <row> <panel> <title>Monthly</title> <chart> <search id="monthly_report" base="weekly_report"> <query> | timechart span=1mon sum(*) as * </query> </search> <option name="charting.drilldown">none</option> </chart> </panel> </row> <row> <panel> <title>Yearly</title> <chart> <search base="monthly_report"> <query> | timechart span=1y sum(*) as * </query> </search> <option name="charting.drilldown">none</option> </chart> </panel> </row> </dashboard> The base search could be daily_report in all cases, but by simply calling each subsequent search its own id, you can use the slightly smaller dataset for the larger granularity calculation.

bowesmana

tstats by _time supports the span= argument, so you can do span=1s to get the a 1 second bucket of _time

bowesmana

The ones with an input box are most likely multiselect dropdowns, where you can select more than one option from the dropdown, whereas standard dropdown has no filter.

bowesmana

I don't know what you mean by a backup file in Splunk context

bowesmana

You will have to show what you are currently doing, where your data exists and the results you are getting to get further help. I can't provide direct searches without knowing your environment.

Posts	2172
Solutions	520
Karma Given	204
Karma Received	765
Member Since	‎09-05-2011

Online Status	Online
Date Last Visited	yesterday

How can I write this regex for rex to extract mult...

How to rename fields in a table without changing c...

Why doesn't drilldown eval token statement work un...

Performance fields/stats/table

Infoblox TA not extracting response code

Is there any way to create CSS that can be dynamic...

How to break up groups of <input> elements onto th...

tokenlinks.js in Splunk 8.24 broken- working dashb...

Looking for regex help in parsing data from curl o...

Overriding _time through a calculated field

Re: Comparing input lookup table to index

Re: Splunk errors and issues

Re: Splunk errors and issues

Re: How to build fields?

Re: Duration not showing value greater than 99

Re: How to set value from table to a list of check...

Re: Duration not showing value greater than 99

Re: How to build field

Re: Duration not showing value greater than 99

Re: Calculate event results based on time picker r...

Re: Is there a Venn Diagram Option

Re: Duration not showing value greater than 99

Re: Why are there empty fields after a left join?

Re: How to build field

Re: Why Do Some Dropdowns (Classic) Have a Filter ...

Re: Single Report dashboard with multiple panels b...

Re: tstats command by _time

Re: Why Do Some Dropdowns (Classic) Have a Filter ...

Re: Exceptions that never happened before

Re: Exceptions that never happened before