Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About lpolo
lpolo
Motivator
Member since:
05-10-2011
08-03-2021
Community Statistics
| Posts | 376 |
| Solutions | 17 |
| Karma Given | 73 |
| Karma Received | 137 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 11-03-2024 04:54 AM
- Got Karma for How to merge two fields into one field?. 10-23-2024 09:31 AM
- Got Karma for Re: How to remove data from a bucket for a specified period of time?. 09-05-2024 08:26 AM
- Got Karma for Part 1: How to extract a json portion of an event then use spath to extract key=value pairs. 07-25-2023 01:43 AM
- Got Karma for How to merge two fields into one field?. 03-14-2023 09:50 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 01-16-2023 05:13 PM
- Got Karma for Re: Filter values after timechart. 06-10-2022 08:59 AM
- Got Karma for How to merge two fields into one field?. 01-10-2022 05:59 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 09-23-2021 06:18 AM
- Posted How to implement this Prometheus Query using Splunk Query Language on Splunk Enterprise. 08-03-2021 11:37 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 08-02-2021 08:59 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 07-26-2021 05:15 AM
- Posted Source log events not forwarded after log rotation on Splunk Enterprise. 07-23-2021 01:25 PM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 02-08-2021 08:28 AM
- Posted Re: top 1000 by appiD on Splunk Enterprise. 07-15-2020 03:24 PM
- Posted top 1000 by appiD on Splunk Enterprise. 07-15-2020 12:41 PM
- Posted Re: Top n plus others on Splunk Enterprise. 07-06-2020 01:04 PM
- Posted Top n plus others on Splunk Enterprise. 07-06-2020 11:54 AM
- Karma Re: Regex that covers both cases for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Regex that covers both cases for javiergn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-20-2012
04:37 AM
It did not work. I will edit the question.
... View more
09-19-2012
12:08 PM
Erik,
Thanks for the trick. I will test it later on.
Regards,
lp
... View more
09-18-2012
10:45 AM
2 Karma
I have a data set that could have more than one multi-value field "MV-Field". Each value of each MV-field corresponds to each other. Therefore, I need to expand so every value is an event. Example:
_time MV-field_1 MV-field_2
timestamp1 1 2
2 3
5 2
by expanding I would have:
_time field_1 field_2
timestamp1 1 2
timestamp1 2 3
timestamp1 5 2
I tried mvexpand but it only works with one mv_field.
The query in question is the following:
sourcetype="test" | spath output=id "schedule{}.id" | spath output=recurrence "schedule{}.recurrence" |mvexpand id|fields _time id recurrence
Any ideas.
Thanks,
Lp
... View more
- Tags:
- mvexpand
09-13-2012
04:30 AM
1 Karma
The solution to this problem was to set the permission to "Global" in the Database Spec. This can be done at:
MySQL App -> Manager -> Database Specs. Then, click on the "Permissions" link for the database spec you need to set up with global permission.
... View more
09-11-2012
10:50 AM
1 Karma
Issue:
I need to run a mysql query not from MySQL connector App. If i do so, it fails with this message:
Required argument name=username cannot be an empty or all white space string.
If I run the query from MySQL connector app it works fine. The query in question is the following:
| mysqlquery spec=rsrch query="select TIMESTAMPDIFF(HOUR, endTime, now()) As Idx_Hours_Old,entityType, host as idx_host, startTime, endTime, state from EntityIndexState" schema=idx
I set the sharing permissions of the app to be global but it did not help. Any idea how to make it work?
Thanks,
Lp
... View more
- Tags:
- mysql
08-30-2012
06:14 AM
1 Karma
Did you try the cluster search command?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Cluster
See also:
anomalies, anomalousvalue, kmeans, outlier
It might help you.
... View more
08-29-2012
09:39 AM
Yes you can.
I just noticed that in your log event section, you presented Time with "T" capital letter. Make sure your query has Time>your_value_threshold and not time>your_value_threshold.
... View more
08-28-2012
10:58 AM
If I run the script by itself the avg. rt is always around 50ms. If I use it as lookup script the rt is around 77ms. Splunk is adding ~27ms. I need the response time to be ~60ms. Using head:
head 1:
2012-08-28 17:23:09 Script finished in 0.047 sec
head 2:
2012-08-28 17:23:47 Script finished in 0.084 sec
head 3:
2012-08-28 17:24:07 Script finished in 0.122 sec
head 4:
2012-08-28 17:24:30 Script finished in 0.185 sec
head 5:
2012-08-28 17:33:13 Script finished in 0.392 sec
head 10:
2012-08-28 17:56:11 Script finished in 0.815 sec
head 100:
2012-08-28 17:54:12 Script finished in 7.470 sec
... View more
08-27-2012
07:24 AM
I will be skeptical too I was not explicit enough. Let me elaborate based on your recommendation:
Job Inspector reported:
This search has completed and has returned 1 result by scanning 9,352 events in 2.044 seconds.
Out 2.044 seconds dispatch.preview took 1.275 second.
The response time of server that gets REST request was QTime=1ms . The lookup time to resolve the FQDN was :
real 0m0.005s
user 0m0.000s
sys 0m0.005s
If you add QTime + the lookup still we have less than 10ms. why is dispatch.preview taking so much time?
What do you suggest?
Thanks,
Lp
... View more
08-27-2012
07:03 AM
The dispatch.preview is the offender. According to Splunk documentation: It is the time spent generating preview results.
Job inspector reported the following result set for on day sample:
This search has completed and has returned 3,240 results by scanning 9,352 events in 466.573 seconds.
Out of this 466.573 seconds dispatch.preview took 465.081 seconds.
... View more
08-24-2012
11:56 AM
Splunk response time is quite slow when I use the lookup script presented below. The response time of the web service we use in the script is quite fast most of the times under 1ms per request. what should I look to improve the performance in splunk?
This is what job inspector says "dispatch.preview" takes most of the time:
Job inspector Results:
Duration (seconds) Component Invocations Input count Output count
0.003 command.addinfo 3 9,352 9,352
0.003 command.fields 3 9,352 9,352
0.005 command.lookup 1 3,240 3,240
0.07 command.prestats 3 9,352 3,240
0.327 command.remotetl 3 9,352 9,352
0.899 command.search 3 - 9,352
0.569 command.search.kv 1 - -
0.243 command.search.typer 3 9,352 9,352
0.067 command.search.rawdata 1 - -
0.009 command.search.calcfields 1 9,352 9,352
0.006 command.search.filter 1 - -
0.006 command.search.index 3 - -
0.002 command.search.tags 3 9,352 9,352
0.001 command.search.fieldalias 1 9,352 9,352
0.001 command.search.lookups 1 9,352 9,352
0.136 command.stats 1 3,240 3,240
0.048 dispatch.createProviderQueue 1 - -
0.169 dispatch.evaluate 1 - -
0.091 dispatch.evaluate.lookup 1 - -
0.077 dispatch.evaluate.search 1 - -
0.001 dispatch.evaluate.stats 1 - -
1.293 dispatch.fetch 4 - -
**461.84 dispatch.preview 1 - -**
0.013 dispatch.process_remote_timeline 1 110,422 9,352
1.292 dispatch.stream.local 3 - -
0.022 dispatch.timeline 4 - -
Splunk Query:
earliest=-1d@d latest=@d index="si_usage" |stats sum(count) by entity| lookup entityid_lookup entity as entity OUTPUT entity_title as entity_title
Script:
import urllib2, sys,csv,time,logging
from time import clock
from lxml import etree
from time import strftime as date
def lookup(entity):
try:
url = "http://fqdn/rex/select/?q="+entity+"&version=2.2&start=0&rows=10&indent=on&fl=title&application=agent.007"
f = urllib2.urlopen(url)
doc = etree.XML(f.read())
entity_title = doc.xpath("//str[@name='title']/text()")
if not entity_title:
entity_title = "Entity Title Not Found"
return entity_title
except:
return []
def main():
logging.basicConfig(filename='lookup.log', level=logging.INFO, format='%(asctime)s %(message)s')
start_time = time.time()
logging.info('Script started')
entity = sys.argv[1]
entity_title= sys.argv[2]
r = csv.reader(sys.stdin)
w = None
first = True
for line in r:
if first:
header = line
if entity not in header or entity_title not in header:
print "entity and entity_title fields must exist in CSV data"
sys.exit(0)
csv.writer(sys.stdout).writerow(header)
w = csv.DictWriter(sys.stdout, header)
first = False
continue
result = {}
i = 0
while i < len(header):
if i < len(line):
result[header[i]] = line[i]
else:
result[header[i]] = ''
i += 1
if len(result[entity]) and len(result[entity_title]):
w.writerow(result)
elif len(result[entity]):
resulted = lookup(result[entity])
result[entity_title]=resulted
w.writerow(result)
end_time = time.time() - start_time
logging.info('Script finished in %s seconds', end_time)
if __name__ == '__main__':
main()
... View more
06-28-2012
10:23 AM
2 Karma
I learned that fill_summary_index.py can execute more than one scheduled search per back fill command. This is an example:
[tvs@io-splunk-05 bin]# ./splunk cmd python fill_summary_index.py
Please enter the app that contains the search(es): metrics
Please enter the name of saved search #1 (empty value to stop entering): Metric_ENV1_Top_N_Agent1_Daily
Please enter the name of saved search #2 (empty value to stop entering): Metric_ENV2_Top_N_Agent1_Daily
Please enter the name of saved search #3 (empty value to stop entering):
Please enter your splunk username: userid
Please enter your splunk password: yourpwd
Please enter the earliest time (UTC or relative): -28d@d
Please enter the latest time (UTC or relative): @d
Issue solved.
Thanks,
lp
... View more
06-27-2012
04:44 AM
You will need the floor function. If you use round it will round up your number if the decimal is greater or equal to .5. And it will round down if you decimal is less than .5. Example:
your query|eval x=7/3 |eval x_round=round(x)|eval x_floor=floor(x) |table x x_round x_floor
Result set:
x x_round x_floor
2.333333 2 2
... View more
06-26-2012
12:00 PM
2 Karma
Try the round function:
As presented in the documentation:
round(X,Y): This function takes one or two numeric arguments X and Y, returning X rounded to the amount of decimal places specified by Y. The default is to round to an integer.
This example returns 4:
|eval test=round(3.5)
This example returns 2.56:
|eval test=round(2.555, 2)
... View more
06-26-2012
10:11 AM
Can Splunk run more than one instance of "fill_summary_index.py"?
If I try to run more than one instance I get this message:
An instance of fill_summary_index is already running for app=metrics_tvs
Thanks,
Lp
... View more
- Tags:
- summary-index
06-19-2012
09:43 AM
Could you ask to your colleagues in Splunk Tech Support of Dev?
Thanks,
Lp
... View more
06-19-2012
07:50 AM
It improved. I can see all scheduled searches that ran or are running.
Is there a way to get what is found in the "Manager » Searches and reports" view?
... View more
06-19-2012
06:11 AM
Search = | rest /services/saved/searches | table title search
If I execute the search from this app:
http://hostname:8000/en-US/app/search/dashboard_live
I get the same result set if I run the same search from one of our apps:
http://hostname:8000/en-US/app/metrics_abc/search_view
Both apps have different scheduled searches configured.
... View more
06-19-2012
05:12 AM
It seems that is not returning all the scheduled searches for all the apps. Is there an ending point call for each app?
Thanks,
Lp
... View more
06-19-2012
04:57 AM
Yes. I did the work. The returned fields are the ones I need.
... View more
06-18-2012
10:35 AM
Is there a Splunk search command that returns information found in "Manager » Searches and reports" view?
For example, I need to know all the search names and search scheduled time configured in a particular indexer using a search command.
Thanks,
Lp
... View more
- Tags:
- search
06-13-2012
04:53 AM
18 Karma
Try this:
your_query | sort - sum(bandwidth) | head 10
you may want to name your field "bandwidth" as follow:
sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2) | sort - bandwidth | head 10
sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10
Lp
... View more
06-01-2012
06:31 AM
1 Karma
I have not been able to find any document about the role of the queues listed below just partial information.
Is there a document that explains the role of each queue?
Thanks,
Lp
Queue:
aeq
aggqueue
aq
auditqueue
fschangemanager_queue
indexqueue
nullqueue
parsingqueue
splunktcpin
stashparsing
tcpin_queue
typingqueue
Thanks,
Lp
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-03-2021
02:58 PM
|
Karma given to
