About zacksoft

AnilPujar · ‎02-04-2024

Any idea? how to hide in studio dashboard?

jamin358 · ‎04-19-2023

You can also use the IN component of search. When you have select multiple items in a multi-select dropdown, they are appended in a comma separated list. Try the following. index IN ($continent_token$) host IN ($country_token$) Note also, you shouldn't have pipes in between search terms.

pwilson · ‎09-08-2022

The eventstats command is what you're looking for. Please try: search index = index_name source = source_name | fields + bio, _time | eventstats earliest_time(_time) as eTime latest_time(_time) as lTime | eval Proj_Name = "my big project" | `my_Macro(Proj_name, eTime, lTime)` | table proj_value , proj_date eventstats splunk doc

solarboyz1 · ‎03-28-2022

Tick mark is not changing when I select the other option I'm going to infer that you are using the timechart to visualize the data, and the timechart still has weekends on the x axis. I believe You will need to switch from timechart to using chart over _time Which should give you a chart without any weekends.

richgalloway · ‎04-07-2021

See https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/#How-configuration-settings-are-stored-and-used for a primer. Dashboards, a.k.a "views", are not stored in .conf files. They're in .xml files in $SPLUNK_HOME/etc/apps/<app>/local/data/ui/views or $SPLUNK_HOME/etc/users/<user>/<app>/local/data/ui/views.

rajneeshdba · ‎12-14-2020

2020-11-30T23:59:46.101621+00:00 fdb2.fdb-us-south-002 2020-11-30T23:59:45Z { "Severity": "10", "Time": "1606780785.516014", "Type": "SomewhatSlowRunLoopTop", "ID": "0000000000000000", "Elapsed": "0.0734675", "Machine": "10.185.175.43:4501", "LogGroup": "default" } I want to how Can i extract "severity": "10" in the search from the logs ?

richgalloway · ‎11-18-2020

How Splunk processes a query internally does not necessarily imply you should or can write that query and differently. If you ran this query you would get far different results (if any at all) than with the original. index = aries sourcetype = onezone | fields aaa baa | stats values(aaa) as aaa | table aaa [ search index = leo sourcetype =twofone | fields ccc | stats ccc ] | stats value(aaa) as sd , values(ccc) as cc

inventsekar · ‎10-08-2020

actually, both "outputlook lookupname" and "outputlook lookupname.csv" works fine. just now i tested it as well. the documentation says filename must end with .csv or .csv.gz https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Outputlookup#Examples but, without csv, it works fine. Last whole week i have this confusion. on the first example, the documentation also gives the filename without ".csv" extension, but it was referring filename from transform.conf. EDIT <submitted feedback for this documentation page>

thambisetty · ‎09-24-2020

You can always break json if it contains more similar records.

rrovers · ‎09-09-2020

I assumed vehicle, grocery and tax are not the field names but the values of a field. Let's say the name of the field is "object". The values 120, 23, 5, 45 are values of a field named "cost". The search should be something like this | stats count as cost by object | untable object cost waarde | xyseries cost object waarde

niketn · ‎08-28-2020

If this is from a field in your SPL search, then Splunk's built in Navigation xml will not work for you, as that is only based on Dashboard title. So you will have to consider second option of building your own Pre-built Panel and create your own Navigation.

zacksoft · ‎08-27-2020

Hello @jethrop May I request you an example of this. (a pseudo code perhaps) Say if I have the value of a field "X" = "Prod" then only show me the menu dashboard , else ignore.

niketn · ‎08-14-2020

The complete Simple XML approach in the second answer link (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-font-color-based-on-a-condition-for-a-particular/td-p/487257) is to : Use an eval and suffix label value along with a delimiter to all other fields in the same row. Then use split() eval function to split the values into multivalue field. Then use Simple XML CSS to hide the split value from the label field. Finally apply expression based on label field value that is present in the second field but hidden through CSS. You can try to run the example code and open the search in a new window to see how SPL for above steps are working. If not you will have to use JS but approach for data will remain the same in SPL. PS the row in the example is colored based on label field log_level.

Sfry1981 · ‎05-20-2020

@zacksoft All you would need to do is go into the source data and in the xml where it shows the below: <option name="drilldown">cell</option> change to <option name="drilldown">row</option> that will make the whole row clickable instead of just a cell

gcusello · ‎04-09-2020

Hi @zacksoft, yesyou can: TeamA's UFs must be configured to send a part of their data to both the Indexers following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding in other words, they have to configure in outputs.conf a default targetGroup (containing Indexers of TeamA) to send all the logs and a second targetGroup (containing the Indexers of TeamB) to send the specified data. Then they have to put in inputs.conf _INDEX_AND_FORWARD_ROUTING= in the stanzas to send to both the indexers. Ciao. Giuseppe

to4kawa · ‎04-07-2020

.... | timechart span=1d eval(round(avg(req_time_seconds),2)) as avgresponse_time by host | eval result1="Serv1's avg_resp_time is ".case(serv1>serv2,(round(serv1/serv2*100))."% higher than Serv2", serv1<serv2,(round(serv2/serv1*100))."% lower than Serv2", true(), "same with Serv2") | eval result2="Serv1's avg_resp_time is ".case(serv1>serv3,(round(serv1/serv3*100))."% higher than Serv3", serv1<serv3,(round(serv3/serv1*100))."% lower than Serv3", true(), "same with Serv3")

memarshall63 · ‎04-03-2020

@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same. If you change your last line to display: |table human_epoch_time sub_time human_time You should see the diff between human_epoch_time and sub_time

manjunathmeti · ‎03-09-2020

Use result token $result.fieldname$. First value for the specified field name from the first search result row is used. In the To field, set value like this. Here PERSON1 and PERSON2 are field names. $result.PERSON1$@mayhem.com,$result.PERSON2$@mayhem.com If each row has different values for fields PERSON1 and PERSON2 then set Trigger settings to for each result in Edit alert page.

mydog8it · ‎02-19-2020

Give this a try: | makeresults | eval _raw="memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS 92101 66926 7175 77.6 21.4 3497702952 3.6 909526 998772788 4232481396 16909785 302 1012 4.07 0.00 7876.48 341.04 41.79" | rex "[\s](?P<memTotalMB>\d+\.?\d+)\s+(?P<memFreeMB>\d+\.?\d+)\s+(?P<memUsedMB>\d+\.?\d+)\s+(?P<memFreePct>\d+\.?\d+)\s+(?P<memUsedPct>\d+\.?\d+)\s+(?P<pgPageOut>\d+\.?\d+)\s+(?P<swapUsedPct>\d+\.?\d+)\s+(?P<pgSwapOut>\d+\.?\d+)\s+(?P<cSwitches>\d+\.?\d+)\s+(?P<interrupts>\d+\.?\d+)\s+(?P<forks>\d+\.?\d+)\s+(?P<processes>\d+\.?\d+)\s+(?P<threads>\d+\.?\d+)\s+(?P<loadAvg1mi>\d+\.?\d+)\s+(?P<waitThreads>\d+\.?\d+)\s+(?P<interrupts_PS>\d+\.?\d+)\s+(?P<pgPageIn_PS>\d+\.?\d+)\s+(?P<pgPageOut_PS>\d+\.?\d+)" | table * You only need the "| rex" portion of the search above just put your generating commands before it and visualization commands after it.

gcusello · ‎02-13-2020

Hi @zacksoft, it's possible to have drilldown in another panel of the same dashboard or in a different dashboard, not in the same panel. It's also possible to open a row of a search to display events of this row (it's avery limitated function!). Anyway all the above features are described in the Splunk Dashboard Examples app ( https://splunkbase.splunk.com/app/1603/ ). Ciao. Giuseppe

wmyersas · ‎01-09-2020

If you want to write some custom JavaScript, you can do this Otherwise, the mode of the dashboard is set by its owner/creator - if the owner/creator sets it to Dark Mode, it'll be in Dark Mode

gcusello · ‎12-17-2019

Hi @zacksoft, check what's the execution time and the number of results: if the search isn't heavy and you have less that 50,000 results, you can use it in your searches. Anyway, you can schedule the search to populate the lookup. Ciao. Giuseppe

vnravikumar · ‎05-21-2019

Hi Give a try | inputlookup sample.csv | stats list(exam1) as exam1,list(exam2) as exam2,list(exam3) as exam3 | eval exam1 = if(tostring((mvfind(exam1,"best")))!="Null","OK","NO"), exam2 = if(tostring((mvfind(exam2,"best")))!="Null","OK","NO"), exam3 = if(tostring((mvfind(exam3,"best")))!="Null","OK","NO") | transpose | rename column as Exams,"row 1" as Results OR | inputlookup sample.csv | transpose column_name=Exams | search Exams != name | eval final = 'row 1'.",".'row 2' .",". 'row 3' | makemv delim="," final | eval final= if(tostring((mvfind(final,"best")))!="Null","OK","NO") | table Exams, final

somesoni2 · ‎05-20-2019

Here you go | inputlookup marks.csv | table NAME * | untable NAME subject grade | chart count over subject by grade

zacksoft · ‎05-20-2019

Thank you very much.

Posts	336
Solutions	0
Karma Given	47
Karma Received	5
Member Since	‎09-13-2017

Online Status	Offline
Date Last Visited	‎06-11-2021 07:35 AM

Where is the Location of knoweldge objects in the ...

Subsearch append question !!

How to I save my search query output as a lookup ?

How do I get search start time and end time value ...

How to transpose a table? (without using Transpose...

What is the permissible field value length ?

How to match for a condition for main menu ?

How to refer to a column value ?

How to create an overview/menu dashboard?

How to open an extracted URI field through drilldo...

Re: How to hide the search of a dashboard panel or...

Re: How to use token in a multi-select form input?

Re: How do I get search start time and end time va...

Re: How to exclude weekends from last 30 days sear...

Re: Where is the Location of knoweldge objects in ...

Re: How do I write a regex that extracts a field b...

Re: Subsearch append question !!

Re: How to I save my search query output as a look...

Re: What is the permissible field value length ?

Re: How to transpose a table? (without using Trans...

Re: How to match for a condition for main menu ?

Re: How to create an overview/menu dashboard?

Re: How to refer to a column value ?

Re: How to open an extracted URI field through dri...

Re: Questions about Universal Forwarder.

Re: How to get a percentage calculation ?

Re: How to subtract miliseconds from _time ?

Re: Sending Alert email to the extracted user fiel...

Re: Need help in parsing the CPU info with REX

Re: How to drill-down and see the events in the da...

Re: a button to toggle dark/light mode

Re: LookUp Files Issues

Re: String Comparison with Foreach

Re: Statistical Count from a lookup Table

Re: csv couldn't be opened for reading