Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About michaelsplunk1
michaelsplunk1
Path Finder
Member since:
06-03-2020
08-09-2022
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 12 |
| Karma Received | 1 |
| Member Since | 06-03-2020 |
Activity Feed
- Posted How to combine results of two alerts into one email? on Dashboards & Visualizations. 05-11-2022 03:26 PM
- Tagged How to combine results of two alerts into one email? on Dashboards & Visualizations. 05-11-2022 03:26 PM
- Tagged How to combine results of two alerts into one email? on Dashboards & Visualizations. 05-11-2022 03:26 PM
- Karma Re: How do you use multiple thresholds from a timechart for a single alert for an arbitrary number of devices? for richgalloway. 05-03-2022 03:59 PM
- Posted How do you use multiple thresholds from a timechart for a single alert for an arbitrary number of devices? on Splunk Search. 04-07-2022 03:16 PM
- Tagged How do you use multiple thresholds from a timechart for a single alert for an arbitrary number of devices? on Splunk Search. 04-07-2022 03:16 PM
- Karma Re: How to add average column to timewrap table for multiple fields? for ITWhisperer. 03-23-2022 10:19 AM
- Posted How to add average column to timewrap table for multiple fields? on Splunk Search. 03-17-2022 02:25 PM
- Tagged How to add average column to timewrap table for multiple fields? on Splunk Search. 03-17-2022 02:25 PM
- Posted How to find deltas greater than 5 skipping over rows that are different on Splunk Search. 07-29-2021 11:08 AM
- Tagged How to find deltas greater than 5 skipping over rows that are different on Splunk Search. 07-29-2021 11:08 AM
- Tagged How to find deltas greater than 5 skipping over rows that are different on Splunk Search. 07-29-2021 11:08 AM
- Posted Monitor Text Files on Getting Data In. 07-15-2021 08:46 AM
- Tagged Monitor Text Files on Getting Data In. 07-15-2021 08:46 AM
- Posted Bar Chart Alert on Splunk Enterprise. 06-08-2021 03:11 PM
- Tagged Bar Chart Alert on Splunk Enterprise. 06-08-2021 03:11 PM
- Tagged Bar Chart Alert on Splunk Enterprise. 06-08-2021 03:11 PM
- Tagged Bar Chart Alert on Splunk Enterprise. 06-08-2021 03:11 PM
- Posted What is the difference between true and not false? on Splunk Enterprise. 05-26-2021 01:38 PM
- Posted Number of Conditions in case() Statement on Splunk Search. 03-30-2021 03:46 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-11-2022
03:26 PM
Hello!
We currently have two separate alerts. One that prints a list of devices and another that prints a list of records related to those devices (I used the map command to iterate over the list of devices to print the list of records for each device).
So currently we get two emails, one right after the other. The first has the list of devices and the second has the records for those devices.
Is there a way to print the list of devices and the list of all their records right below in a single email?
... View more
Labels
- Labels:
-
other
04-07-2022
03:16 PM
_time device1_avg device2_avg device3_avg device4_avg 2022-04-07 00:00 34 3 11 22 2022-04-07 01:00 21 76 41 87 2022-04-07 02:00 2 18 32 32 2022-04-07 03:00 12 3 36 54 2022-04-07 04:00 7 8 21 43 2022-04-07 05:00 11 3 17 21 2022-04-07 06:00 19 12 19 16 2022-04-07 07:00 15 10 12 19 2022-04-07 08:00 4 2 19 6 I have a table of averages for an arbitrary number of arbitrary devices as shown above. How do I use these averages as thresholds for alerts about these devices? I'm trying to have a search that runs every 15 minutes to check which devices have exceeded these averages. For example, if a search is run at 06:45, and returns that device1 has a count of 10, device2 has a count of 15, device3 has a count of 21, and device 4 has a count of 2, send an alert that says device2 and device3 have exceeded their averages listed for the 06:00 hour (i.e., 12 and 19, respectively).
... View more
Labels
- Labels:
-
timechart
03-17-2022
02:25 PM
Hi there!
I want to add columns to this table that I copied from the docs about timewrap. I want to add columns that have the averages for each field (accessories, sports, strategy, etc.) across the timewrapped columns. Basically, a column for the average of ACCESSORIES_S1, ACCESSORIES_S0, etc., and then a column for the average of SPORTS_S1, SPORTS_S0, etc., and a column for the average of STRATEGY_S1, STRATEGY_S0, etc.
Additionally, I eventually want to use these averages as a trigger for an alert when the counts on these (i.e., accessories, sports, strategy, etc.) surpass the average. Long story short, I have an arbitrary number of fields, with a count on those fields, and I want to alert when the count on those fields exceeds the average, without having to set up multiple alerts for each field because I don't know what the fields are going to be ahead of time and the field names can change.
@mattymo your multipart article on timewrap and Cyclical Statistical Forecasts and Anomalies has helped me so much, can you please help me on this application of timewrap?
Thank you!
... View more
07-29-2021
11:08 AM
Hello! Sample data: Vehicle Hour of Day count delta(count) car1 11 5 -- car1 12 0 -5 car1 13 3 3 car2 11 9 6 car2 12 5 -4 car3 11 5 0 car3 12 5 0 car3 13 0 -5 car3 14 2 2 Please notice how delta(count) is calculated even going from a row that says car1 to car2 or car2 to car3. I want to alert when delta(count) is greater than 5, but only if this delta is calculated going from a row that car2 to a similar next row that is also for car2. That is, if the row switches from car1 to car2 and delta is greater than 5, or like in the table, delta is 6, I want to ignore this change and only show rows with deltas greater than 5 that were calculated for the same car, and not between different cars. Is there a way to do this? I tried to using streamstats/eventstats with the last() function but I'm not sure that I am using it correctly. For the end product, I need an alert that will fire off when a car has an increase in its count of more than 5. Thank you so much for any help!!!
... View more
07-15-2021
08:46 AM
If we have logs being pushed to a text file stored on our drive, can Splunk monitor the content of these files and can we search the content of these files?
... View more
Labels
06-08-2021
03:11 PM
Hi all! I would like to set an alert on a bar chart. The bar chart shows the number of service desk tickets per each device. How can I alert when one of these bars increases by five tickets within five minutes? This is the query that produces the bar chart: index=sample_index
| stats dc(ticket_number) by device_name
| head 15 Thank you!
... View more
Labels
05-26-2021
01:38 PM
Is querying by myField=true or myField != false the same thing? Is saying myField=true better or more efficient? Thank you!
... View more
Labels
03-30-2021
03:46 PM
Is there a limit to the number of conditions we can use in a case() statement? I've reached a point where my ORs and ANDs are no longer being highlighted syntactically and neither are my parenthesis being highlighted with their corresponding opening/closing counterpart when I move the cursor one space beyond one. Thank you!
... View more
Labels
- Labels:
-
other
03-18-2021
03:18 PM
11-05-2020
01:50 PM
Hello everyone!
I'm trying to get Splunk to create an incident in ServiceNow when an alert is triggered. I'm using the "snowincidentstream" command, but receive an error that says "command="snowincidentstream", Failed to create ticket. Return code is 400. Reason is Bad Request".
I'm following the example in the docs running a query similar to that below:
sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95
| eval category="Software"
| eval contact_type="Phone"
| eval ci_identifier="8214eb87c0a8018b7bd0919758dcc3c2"
| eval priority="1"
| eval subcategory="Database"
| eval short_description="CPU on ". host ." is at ". CPU ""
| eval account="user"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| eval correlation_id="de305d51-15b4-411b-adb2-fb6b9e546013"
| snowincidentstream
What could be wrong? Can someone please help?
Thank you so much!
... View more
Labels
- Labels:
-
alert action
-
other
10-27-2020
02:11 PM
Hi Everyone! Does the "snowincident" command always create an incident upon being called? I want to use this in an alert, so that we use the "custom_fields" setting, however, we only want the incident to be created if the alert was triggered. Thanks!
... View more
Labels
- Labels:
-
other
10-27-2020
01:05 PM
Thank you @richgalloway ! This helps so much! I can include the oldest incident in the query, but if it's included as a result, it will affect the alert triggering because I'm triggering based on a number of results. What should I do?
... View more
10-26-2020
12:57 PM
I had been wondering what the "dv_" in front of all those fields names has meant for so long and this just answered that question. Thank you.
... View more
10-26-2020
11:50 AM
Hi All! When we choose to send an email as an alert action in Splunk, is there a way for Splunk to take the oldest ServiceNow incident in the alert results and link to it or at least provide it's info (e.g., incident number) in the email it sends out with the alert?
... View more
Labels
- Labels:
-
other
10-26-2020
11:43 AM
Hi everyone! I'm trying to have Splunk modify incidents in ServiceNow. For example, when an alert is triggered in Splunk based on ServiceNow data, I would like Splunk to take the oldest ServiceNow incident event that triggered the alert, and have Splunk go into ServiceNow to escalate that incident's priority and also make other related incidents in the alert's results the children of that oldest incident in ServiceNow. Does Splunk have this power?
... View more
- Tags:
- incident
- servicenow
Labels
- Labels:
-
other
10-20-2020
08:10 AM
1 Karma
Hi everyone! My time picker token spits out values like "-60m@m" and I want to convert this time value into an epoch time so I can filter based on epoch time. How do I convert this? Can I use strptime() to do it? What format would I tell strptime() the time is in? Thank you!
... View more
Labels
- Labels:
-
other
08-28-2020
12:09 PM
Hello Everyone,
I have metrics in different metric indexes but I want to perform a timechart count on these, adding all of them into a single count each day.
I can make a timechart count of them separately, but I want to make a timechart count, where the count in each minute, hour, day, etc., is the sum of each of the counts separately.
Can you please help me perform this query?
Thank you!
... View more
07-13-2020
09:19 AM
Can the cluster command cluster based on more than one field? I know we can change which field to cluster by, but can we cluster by multiple fields?
... View more
- Tags:
- cluster
Labels
- Labels:
-
other
07-10-2020
08:58 AM
Is there a way to set the maximum cluster size for the clusters generated by the "cluster" command?
... View more
Labels
- Labels:
-
other
06-29-2020
12:47 PM
Hi! I used the "Cluster Behavior by App Usage" example in the Clustering Numeric Fields workflow within the Splunk MLTK Showcase. It produces the cluster visualization shown below. Can you help me understand the meaning of this visualization or recommend resources for understanding this visualization? How do I know which fields are clustered by looking at this? I understand the coloring has something to do with it, but there are multiple plots, and I would love some help trying to understand what this means. Thank you so much!
... View more
Labels
- Labels:
-
other
06-19-2020
02:45 PM
How do we find the average of a table column filled with time values?
... View more
Labels
- Labels:
-
stats
06-17-2020
11:45 AM
I'm using the Machine Learning Toolkit (MLTK) to detect outliers. It envelopes my line chart between the upper and lower bounds and uses these to determine whether or not there are outliers. If I reduce the number of data points by zooming in on a particular time period of my line chart, the number of outliers increases. I know that the number of data points changes the numbers in the math, and that we have to tune our model to our needs, but do you have any advice on how to tune this, or how to determine what a large enough sample is so that I don't miss any outliers? The major outliers are always obvious, but how can I make my outlier detection more "capable" at detecting outliers that are not so obvious (since they're not as drastically deviated as some other outliers are)?
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-09-2022
03:18 PM
|
Karma given to
