Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About dlespron
dlespron
Path Finder
Member since:
01-06-2014
06-05-2020
Community Statistics
| Posts | 23 |
| Solutions | 1 |
| Karma Given | 13 |
| Karma Received | 2 |
| Member Since | 01-06-2014 |
Activity Feed
- Karma Re: How to create dashboard with button that will send results to specified email address? for somesoni2. 06-05-2020 12:47 AM
- Got Karma for How to create dashboard with button that will send results to specified email address?. 06-05-2020 12:47 AM
- Got Karma for Cant get line break \n to create new lines between results when emailed?. 06-05-2020 12:47 AM
- Karma Re: How can I pass a value I retrieve in the first part of a query to a second part in a second source? for Ayn. 06-05-2020 12:46 AM
- Karma Re: How can I do a find/replace on the results found to make them more readable? for richgalloway. 06-05-2020 12:46 AM
- Karma Re: How can I do a find/replace on the results found to make them more readable? for somesoni2. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for sbsbb. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: I need help finding a substring and setting it to display in a new field. for lukejadamec. 06-05-2020 12:46 AM
- Posted Can someone please see my example and help me to combine the two panels using layoutpanel? on Splunk Search. 03-09-2016 12:36 PM
- Tagged Can someone please see my example and help me to combine the two panels using layoutpanel? on Splunk Search. 03-09-2016 12:36 PM
- Tagged Can someone please see my example and help me to combine the two panels using layoutpanel? on Splunk Search. 03-09-2016 12:36 PM
- Posted Cant get line break \n to create new lines between results when emailed? on Splunk Search. 07-02-2014 03:13 PM
- Tagged Cant get line break \n to create new lines between results when emailed? on Splunk Search. 07-02-2014 03:13 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-09-2016
12:36 PM
Here is my current code below -
<dashboard>
<label>Dashboard Title</label>
<description/>
<row>
<panel>
<chart>
<title>Title1</title>
<searchString>Search1</searchString>
<earliestTime>@d</earliestTime>
<latestTime>now</latestTime>
<fields>["host","source","sourcetype"]</fields>
</chart>
</panel>
<panel>
<single>
<title>Title2</title>
<searchString>Search2</searchString>
<earliestTime>@d</earliestTime>
<latestTime>now</latestTime>
<option name="drilldown">none</option>
<option name="afterLabel">MINUTES</option>
<option name="linkView">search</option>
<option name="refresh.auto.interval">64</option>
</single>
</panel>
</row>
</dashboard>
... View more
07-02-2014
03:13 PM
1 Karma
I know I must be missing something simple and have searched here trying multiple things but still can't get this to work. I get the results just fine and they come via email, but I need a blank line between each of the results in order to make easier for the end user to view. Can someone please help?
This is basically what I have right now:
$SearchText$ | rex mode=sed "s/\n/\n\n/g" | rex mode=sed "s/\x1/ /g" | sort _raw | table _raw | sendemail
Thanks!
... View more
07-01-2014
10:08 AM
Thanks, I will look at this now!
... View more
06-30-2014
02:14 PM
1 Karma
I apologize if this has already been answered but I did not find anything when searching. This seems very straightforward and I hate to even ask this, but here goes...
I am simply trying to create a dashboard where I can then press a button to email the results to a certain email address. I have an Actions menu at the top, but the only option there is to Print. Is there some way that I can get an Email button under this menu? Or is there some other way to do this? Any help or guidance would be appreciated.
Thanks!
... View more
01-15-2014
09:33 AM
Ok, I am looking into this now, can you help me to better understand? Right now I have this:sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P d+)D" | search "|11=|" | fields orderid
Which sets the orderid to a numerical value, what would I need to add to tell it to search "Source2" for that orderid?
... View more
01-15-2014
08:16 AM
For instance, I have a search where I want to query for a value that would set that value to orderid such as:
sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P \d+)\D" | search "|11= |" | fields orderid
and this query is able to take the error message and find what follows "11=" and set its to a value called orderid, but I then want to take that value I've set as orderid and have it query from a second source all as part of the same query. I have tried adding this at the end in order to search the second source:
map search="search sourcetype="Source2" $orderid$"
So my entire query looks like this, I thought this would work but doesnt seem to be properly passing the value of orderid to query from the second source:
sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P \d+)\D" | search "|11= |" | fields orderid | map search="search sourcetype="Source2" $orderid$"
Please help answer or offer any insight you may have, I may be doing this entirely wrong!
... View more
01-09-2014
08:55 AM
THAT WORKED! Thanks so much you are awesome! Also, I greatly appreciate you taking the time to provide explanation, this is all very helpful to a Splunk noob like myslef!
... View more
01-09-2014
08:21 AM
I feel like I am just missing something simple, can you break down this part ".*[1][1]=(?P d+)D" and tell me exactly what each part is doing? I have a general understanding but maybe your explanation might clear things up for me!
Thanks again!
... View more
01-08-2014
10:48 AM
still no luck, but I am working on it, thanks for your help!
... View more
01-08-2014
09:55 AM
this is piece of the raw output where the 11= shows, and no other 11= are in here
\x150=ABCD\x1128=ABCD\x11=73563269\x155=ABCD\x154=1
... View more
01-08-2014
09:44 AM
thaks so much for your help, any other thoughts on why its not working for me? Again, this is my query: search ErrorMessage | rex ".*[1][1]=(?P d+)D" | table OrderID
but the OrderID field is just showing as blank...
... View more
01-08-2014
09:16 AM
hmm, I tried again with updated code and still doesnt seem to pull the number, still just seeing an empty OrderID field. I am fairly new to using splunk, so it's probably user error, but I just tried with: search ErrorMessage | rex ".*[1][1]=(?P \d+)\D" | table OrderID
... View more
01-08-2014
09:07 AM
doesnt seem to work, it is creating a new field called OrderID, but it is coming up empty! 😞
This is my search: search ErrorMessage | rex ".*\d\d=(?P \d+)\D" | table OrderID
... View more
01-08-2014
08:52 AM
sorry! to clarify, I would like to find the "11=123456" and then just return the 123456 in the OrderID field. The 123456 is just for example, this could be any random number following the "11="
Thanks!
... View more
01-08-2014
08:50 AM
thanks, I am ok on the understanding of creating a new field, what I am having trouble with is taking the 11=123465 and then just returning 123456 in that OrderID field.
... View more
01-08-2014
08:41 AM
sorry! ok the xxxx's are just to represent the random text that may precede or follow the 11= value. yes the value is always preceded by 11=. For the sake of simplicity and my understanding lets just say it is always a number. This text is just being pulled from the _raw field.
Thanks!
... View more
01-08-2014
08:30 AM
I am sure this is probably a noob question, but I am a noob and I have been researching this for a while this morning and am not having any luck. Maybe you can help!
Ok, I am pulling a query from a log file that returns a random string of text such as:
xxxxxxxxxxxxxxxxxxxxxxxxxx11=123456xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
What I would like to do is take that 11= value and set it to a new field called OrderID, whereas the 123456 which just show up in the order ID field. Any help or insight on this would be great!
Thanks again!
... View more
01-07-2014
08:36 AM
never mind, I figured this out using the transaction command, sorry!
this worked, where 100 is the amount of lines requested.
transaction startswith=( ) maxevents=100
... View more
01-07-2014
06:51 AM
I am using Splunk to pull logs from one of my systems and I do this by searching for a particular timestamp that will then return the event. However, sometimes the information I need is not found in that particular event, but instead in the following lines of logs. How can I tell splunk to return the event as well as the following 20-30 lines or so? Please help!
Thanks!
... View more
- Tags:
- splunk
01-06-2014
10:28 AM
that works great, thanks!
... View more
01-06-2014
10:27 AM
awesome, that worked great! thanks so much for your help!
... View more
01-06-2014
08:56 AM
For instance, I have a log that returns many results and in between different fields I have a \x1 that I would like to replace with a space in order to make it more readable to the user. How can I tell splunk to find all the instances of \x1 and replace them with a space? Any input would be greatly appreciated!
Thanks!
... View more
- Tags:
- splunk
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
