cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
combinatorics
Explorer
Member since: ‎01-20-2012
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 3
Member Since ‎01-20-2012
Activity Feed
View All

Aggregate data from summary index

by in Knowledge Management
‎09-24-2012 02:25 PM
‎09-24-2012 02:25 PM
Every year I get asked questions like "What was the traffic volume like last year at this time?". And every year I had to say we didn't retain logs long enough to know. But, this year we have Splunk. So I want to setup some summary searches to start capturing this information day by day so I can report on it later. I'm going to start with a simple search like this. index=foo sourcetype=access_combined host=myhost | sistats count by root, status, method, uri_path My question is this... If I include lots of fields in the "by" clause of sistats, will I later still be able to aggregate them if I don't care to differentiate? For example, if I summarize using the query above, but later don't care about breaking down by uri_path, will I be able to? I don't want to capture months worth of summary events just to find out I can't generate the report I want later on. (I'm creating some fake summary events for the next few days so I can run some sample reports to see what I can do. I just thought you guys might have a good answer that we could have here for others to refer to later.) ... View more

Saved Searches on Dashboards

by in Dashboards & Visualizations
‎06-22-2012 01:56 PM
‎06-22-2012 01:56 PM
I'm creating some dashboards for use by our entire development team. Basically, it's a set of 7 saved searches displayed as pretty little bar charts or line graphs. None of them are real-time searches. If 20 people suddenly decide to load the dashboard at the same time, does this put a load of 140 searches on Splunk all at the same time? Is there a way to make the dashboard simply display the last result of that saved search? I could easily schedule these searches to run once an hour if that would reduce load on the search heads when lots of developers fire up Splunk each morning. ... View more

Re: Limit for chart with split-by clause ?

by in Splunk Search
‎05-30-2012 06:49 PM
‎05-30-2012 06:49 PM
I have the exact same issue. I'm doing this query, but get that exact error message. index=myindex sourcetype=access_combined host=somehost | chart limit=7 count by root Leaving out the limit=7 works fine, but gives a chart that has about 20 items, which isn't important for my dashboard, and doesn't look very good. I just need the top 6-8 context roots displayed with HTTP request counts. ... View more

Re: Month over month reports

by in Reporting
‎01-22-2012 03:21 PM
1 Karma
‎01-22-2012 03:21 PM
1 Karma
This worked perfectly. Not only did it answer my question, I now have a reusable month_over_month search macro. Thanks for the help. ... View more

Month over month reports

by in Reporting
‎01-21-2012 11:23 PM
2 Karma
‎01-21-2012 11:23 PM
2 Karma
I like to compare my logs from a given day/week to the same day, week the previous month, in order to visualize growth/decline, spot anomalies, etc. Obviously I can easily define a timespan for the last 28 days (or however I want to define my initial period), but I have no idea how to also grab events for the previous 28 days and graph them on top of each other. Basically I need something like this... search 1: (some search criteria) earliest=-28d latest=now search 2: (some search criteria) earliest=-56d latest=-28d Display some graph of data from search 1 over top of search 2 Any ideas? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All