Activity Feed
- Karma Re: Where is the Location of knoweldge objects in the Backened? for richgalloway. 04-07-2021 10:45 AM
- Posted Where is the Location of knoweldge objects in the Backened? on Knowledge Management. 04-07-2021 08:43 AM
- Posted Subsearch append question !! on Splunk Enterprise. 11-18-2020 04:11 AM
- Posted How to I save my search query output as a lookup ? on Splunk Enterprise. 10-08-2020 04:11 AM
- Posted Re: How do I get search start time and end time value ? on Splunk Search. 09-24-2020 09:32 AM
- Posted Re: How do I get search start time and end time value ? on Splunk Search. 09-24-2020 08:58 AM
- Posted How do I get search start time and end time value ? on Splunk Search. 09-24-2020 01:10 AM
- Posted Re: How to transpose a table? (without using Transpose command) on Splunk Search. 09-09-2020 07:50 AM
- Posted How to transpose a table? (without using Transpose command) on Splunk Search. 09-09-2020 06:31 AM
- Posted Re: What is the permissible field value length ? on Splunk Search. 09-01-2020 07:03 AM
- Posted What is the permissible field value length ? on Splunk Search. 09-01-2020 06:36 AM
- Posted Re: How to match for a condition for main menu ? on Dashboards & Visualizations. 08-28-2020 04:11 AM
- Karma Re: How to match for a condition for main menu ? for richgalloway. 08-27-2020 07:19 PM
- Posted How to match for a condition for main menu ? on Dashboards & Visualizations. 08-27-2020 08:52 AM
- Posted Re: How to create an overview/menu dashboard? on Dashboards & Visualizations. 08-27-2020 04:59 AM
- Posted Re: How to create an overview/menu dashboard? on Dashboards & Visualizations. 08-27-2020 04:56 AM
- Posted Re: How to refer to a column value ? on Dashboards & Visualizations. 08-14-2020 06:31 AM
- Posted Re: How to refer to a column value ? on Dashboards & Visualizations. 08-14-2020 06:28 AM
- Karma How do you highlight a table cell based on a field of the search result? for florianduhme. 08-14-2020 05:50 AM
- Posted How to refer to a column value ? on Dashboards & Visualizations. 08-14-2020 05:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-04-2024
09:59 PM
Any idea? how to hide in studio dashboard?
... View more
04-19-2023
08:20 AM
You can also use the IN component of search. When you have select multiple items in a multi-select dropdown, they are appended in a comma separated list. Try the following. index IN ($continent_token$) host IN ($country_token$) Note also, you shouldn't have pipes in between search terms.
... View more
09-08-2022
11:10 AM
The eventstats command is what you're looking for. Please try: search index = index_name source = source_name | fields + bio, _time | eventstats earliest_time(_time) as eTime latest_time(_time) as lTime | eval Proj_Name = "my big project" | `my_Macro(Proj_name, eTime, lTime)` | table proj_value , proj_date eventstats splunk doc
... View more
03-28-2022
05:49 AM
Tick mark is not changing when I select the other option I'm going to infer that you are using the timechart to visualize the data, and the timechart still has weekends on the x axis. I believe You will need to switch from timechart to using chart over _time Which should give you a chart without any weekends.
... View more
04-07-2021
10:41 AM
1 Karma
See https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/#How-configuration-settings-are-stored-and-used for a primer. Dashboards, a.k.a "views", are not stored in .conf files. They're in .xml files in $SPLUNK_HOME/etc/apps/<app>/local/data/ui/views or $SPLUNK_HOME/etc/users/<user>/<app>/local/data/ui/views.
... View more
12-14-2020
08:56 AM
2020-11-30T23:59:46.101621+00:00 fdb2.fdb-us-south-002 2020-11-30T23:59:45Z { "Severity": "10", "Time": "1606780785.516014", "Type": "SomewhatSlowRunLoopTop", "ID": "0000000000000000", "Elapsed": "0.0734675", "Machine": "10.185.175.43:4501", "LogGroup": "default" } I want to how Can i extract "severity": "10" in the search from the logs ?
... View more
11-18-2020
06:26 AM
How Splunk processes a query internally does not necessarily imply you should or can write that query and differently. If you ran this query you would get far different results (if any at all) than with the original. index = aries sourcetype = onezone
| fields aaa baa
| stats values(aaa) as aaa
| table aaa
[ search index = leo sourcetype =twofone
| fields ccc
| stats ccc ]
| stats value(aaa) as sd , values(ccc) as cc
... View more
10-08-2020
06:31 AM
actually, both "outputlook lookupname" and "outputlook lookupname.csv" works fine. just now i tested it as well. the documentation says filename must end with .csv or .csv.gz https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Outputlookup#Examples but, without csv, it works fine. Last whole week i have this confusion. on the first example, the documentation also gives the filename without ".csv" extension, but it was referring filename from transform.conf. EDIT <submitted feedback for this documentation page>
... View more
09-24-2020
07:27 AM
You can always break json if it contains more similar records.
... View more
09-09-2020
10:29 PM
I assumed vehicle, grocery and tax are not the field names but the values of a field. Let's say the name of the field is "object". The values 120, 23, 5, 45 are values of a field named "cost". The search should be something like this | stats count as cost by object | untable object cost waarde | xyseries cost object waarde
... View more
08-28-2020
10:14 AM
If this is from a field in your SPL search, then Splunk's built in Navigation xml will not work for you, as that is only based on Dashboard title. So you will have to consider second option of building your own Pre-built Panel and create your own Navigation.
... View more
08-27-2020
04:59 AM
Hello @jethrop May I request you an example of this. (a pseudo code perhaps) Say if I have the value of a field "X" = "Prod" then only show me the menu dashboard , else ignore.
... View more
08-14-2020
06:50 AM
The complete Simple XML approach in the second answer link (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-font-color-based-on-a-condition-for-a-particular/td-p/487257) is to : Use an eval and suffix label value along with a delimiter to all other fields in the same row. Then use split() eval function to split the values into multivalue field. Then use Simple XML CSS to hide the split value from the label field. Finally apply expression based on label field value that is present in the second field but hidden through CSS. You can try to run the example code and open the search in a new window to see how SPL for above steps are working. If not you will have to use JS but approach for data will remain the same in SPL. PS the row in the example is colored based on label field log_level.
... View more
05-20-2020
12:13 AM
@zacksoft
All you would need to do is go into the source data and in the xml where it shows the below:
<option name="drilldown">cell</option>
change to
<option name="drilldown">row</option>
that will make the whole row clickable instead of just a cell
... View more
04-09-2020
04:55 AM
Hi @zacksoft,
yesyou can: TeamA's UFs must be configured to send a part of their data to both the Indexers following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding
in other words, they have to configure in outputs.conf a default targetGroup (containing Indexers of TeamA) to send all the logs and a second targetGroup (containing the Indexers of TeamB) to send the specified data.
Then they have to put in inputs.conf _INDEX_AND_FORWARD_ROUTING= in the stanzas to send to both the indexers.
Ciao.
Giuseppe
... View more
04-07-2020
02:55 AM
....
| timechart span=1d eval(round(avg(req_time_seconds),2)) as avgresponse_time by host
| eval result1="Serv1's avg_resp_time is ".case(serv1>serv2,(round(serv1/serv2*100))."% higher than Serv2", serv1<serv2,(round(serv2/serv1*100))."% lower than Serv2", true(), "same with Serv2")
| eval result2="Serv1's avg_resp_time is ".case(serv1>serv3,(round(serv1/serv3*100))."% higher than Serv3", serv1<serv3,(round(serv3/serv1*100))."% lower than Serv3", true(), "same with Serv3")
... View more
04-03-2020
09:16 AM
@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same.
If you change your last line to display:
|table human_epoch_time sub_time human_time
You should see the diff between human_epoch_time and sub_time
... View more
03-09-2020
04:18 AM
Use result token $result.fieldname$. First value for the specified field name from the first search result row is used.
In the To field, set value like this. Here PERSON1 and PERSON2 are field names.
$result.PERSON1$@mayhem.com,$result.PERSON2$@mayhem.com
If each row has different values for fields PERSON1 and PERSON2 then set Trigger settings to for each result in Edit alert page.
... View more
02-19-2020
09:26 AM
Give this a try:
| makeresults
| eval _raw="memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
92101 66926 7175 77.6 21.4 3497702952 3.6 909526 998772788 4232481396 16909785 302 1012 4.07 0.00 7876.48 341.04 41.79"
| rex "[\s](?P<memTotalMB>\d+\.?\d+)\s+(?P<memFreeMB>\d+\.?\d+)\s+(?P<memUsedMB>\d+\.?\d+)\s+(?P<memFreePct>\d+\.?\d+)\s+(?P<memUsedPct>\d+\.?\d+)\s+(?P<pgPageOut>\d+\.?\d+)\s+(?P<swapUsedPct>\d+\.?\d+)\s+(?P<pgSwapOut>\d+\.?\d+)\s+(?P<cSwitches>\d+\.?\d+)\s+(?P<interrupts>\d+\.?\d+)\s+(?P<forks>\d+\.?\d+)\s+(?P<processes>\d+\.?\d+)\s+(?P<threads>\d+\.?\d+)\s+(?P<loadAvg1mi>\d+\.?\d+)\s+(?P<waitThreads>\d+\.?\d+)\s+(?P<interrupts_PS>\d+\.?\d+)\s+(?P<pgPageIn_PS>\d+\.?\d+)\s+(?P<pgPageOut_PS>\d+\.?\d+)"
| table *
You only need the "| rex" portion of the search above just put your generating commands before it and visualization commands after it.
... View more
02-13-2020
03:08 AM
Hi @zacksoft,
it's possible to have drilldown in another panel of the same dashboard or in a different dashboard, not in the same panel.
It's also possible to open a row of a search to display events of this row (it's avery limitated function!).
Anyway all the above features are described in the Splunk Dashboard Examples app ( https://splunkbase.splunk.com/app/1603/ ).
Ciao.
Giuseppe
... View more
01-09-2020
08:09 AM
If you want to write some custom JavaScript, you can do this
Otherwise, the mode of the dashboard is set by its owner/creator - if the owner/creator sets it to Dark Mode, it'll be in Dark Mode
... View more
12-17-2019
03:20 AM
Hi @zacksoft,
check what's the execution time and the number of results: if the search isn't heavy and you have less that 50,000 results, you can use it in your searches.
Anyway, you can schedule the search to populate the lookup.
Ciao.
Giuseppe
... View more
05-21-2019
10:53 PM
Hi
Give a try
| inputlookup sample.csv
| stats list(exam1) as exam1,list(exam2) as exam2,list(exam3) as exam3
| eval exam1 = if(tostring((mvfind(exam1,"best")))!="Null","OK","NO"), exam2 = if(tostring((mvfind(exam2,"best")))!="Null","OK","NO"), exam3 = if(tostring((mvfind(exam3,"best")))!="Null","OK","NO")
| transpose
| rename column as Exams,"row 1" as Results
OR
| inputlookup sample.csv
| transpose column_name=Exams
| search Exams != name
| eval final = 'row 1'.",".'row 2' .",". 'row 3'
| makemv delim="," final
| eval final= if(tostring((mvfind(final,"best")))!="Null","OK","NO")
| table Exams, final
... View more
05-20-2019
09:06 AM
Here you go
| inputlookup marks.csv
| table NAME *
| untable NAME subject grade
| chart count over subject by grade
... View more
