Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About therealdpk
therealdpk
Path Finder
Member since:
09-26-2012
06-05-2020
Community Statistics
| Posts | 25 |
| Solutions | 0 |
| Karma Given | 62 |
| Karma Received | 9 |
| Member Since | 09-26-2012 |
Activity Feed
- Got Karma for Re: Improve speed of "append". 11-18-2020 04:49 AM
- Got Karma for Improve speed of "append". 11-18-2020 04:48 AM
- Karma PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'eval' command (can't drill down in redirected flashtimeline) for the_wolverine. 06-05-2020 12:46 AM
- Karma Can I disable clicking on items in table view when sharing search results? for caffein. 06-05-2020 12:46 AM
- Karma ConvertToIntention - Pass addterm to two locations in search for seancblake. 06-05-2020 12:46 AM
- Karma Correlate field from earlier event with error for mfrost8. 06-05-2020 12:46 AM
- Karma PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'rangemap' command for alenseb. 06-05-2020 12:46 AM
- Karma How does Deployment Monitor Dashboard suppress time range messages? for sf_user_199. 06-05-2020 12:46 AM
- Karma append and max results (50000) for johnnymc. 06-05-2020 12:46 AM
- Karma Accelerated Search - Not enough data to summarize for slierninja. 06-05-2020 12:46 AM
- Karma Place indexing volume used today in a single value panel. for appmandan. 06-05-2020 12:46 AM
- Karma how to use eval and stats first() (for dummies) for wsw70. 06-05-2020 12:46 AM
- Karma adding random html to splunk view for DTERM. 06-05-2020 12:46 AM
- Karma Geeting errror : PARSER: Applying intentions failed 'unicode' object has no attribute 'get' for kml_uvce. 06-05-2020 12:46 AM
- Karma ConvertToDrillDownSearch for Nerz. 06-05-2020 12:46 AM
- Karma Re: Improve speed of "append" for chris. 06-05-2020 12:46 AM
- Karma Does a HiddenPostProcess limit the dynamic dashboard modules? for inglisn. 06-05-2020 12:46 AM
- Karma Re: How can I backfill summary index data from the web? for Lucas_K. 06-05-2020 12:46 AM
- Karma Re: regular expression ( Alert) for jonuwz. 06-05-2020 12:46 AM
- Karma Issue with Postprocessing for theouhuios. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 |
01-14-2013
12:52 PM
This may have worked on Splunk 4 but does not work on Splunk 5.0.1.
... View more
01-10-2013
05:11 PM
This did work in Splunk 4, but does not work in Splunk 5.0.1.
... View more
10-22-2012
08:31 AM
Is it possible to have JSChart render its bars horizontally? I've looked over the properties here:
http://docs.splunk.com/Documentation/Splunk/4.3/Developer/CustomChartingConfig-chartlegend
and it looks like "bar" is what I want ("The bar chart is a cartesian chart that renders data as horizontal bars"). However, when I try to use the charting.chart properties I get an error: "Misconfigured view 'overview' - Unknown parameter 'charting.chart' is defined for module JSChart. Make sure the parameter is specified in JSChart.conf."
Based on the example in the above document, I was using:
<param name="charting.chart">bar</param>
Is that indeed the correct parameter?
... View more
- Tags:
- charting
10-21-2012
09:12 PM
How do you add this code from the web?
... View more
10-21-2012
09:08 PM
This error still appears even if you specify earliest and latest, at least in 4.3.2, FWIW.
... View more
10-19-2012
05:12 PM
2 Karma
This one caught me too. This solution makes the click work:
http://splunk-base.splunk.com/answers/60224/parser-applying-intentions-failed-unable-to-drilldown-because-of-post-reporting-rangemap-command
Specifically, add "table" to the end of the HiddenPostProcess search, with a list of fields you want to display. This may not be all you need (my use requires some additional work because one of the fields is obtained from max(_time), and the result of that changes between display and click), but it solves the specific problem.
... View more
10-18-2012
04:40 PM
No, I haven't created any summary indexes yet. This'll be my first ever. No idea if the account has access to the index, but the index appears in the drop-down, so I assume so (does Splunk handle that right?). It's all enabled, FWIW.
... View more
10-18-2012
01:59 PM
Interesting. I guess I do have SideviewUtils installed. Thanks, I'll try using that too.
... View more
10-18-2012
01:46 PM
Indeed, I am doing a lot more than just a count on those fields -- I am running rare against message (heavily normalized, with 75k errors there are probably 10k unique strings), top against a few of the fields, count by severity, etc. I hope to improve this dashboard further by making use of summary indexes (currently entirely nonfunctional in this app for some reason).
I haven't had a chance to check out SideviewUtils but it comes highly recommended. I don't have the ability to install any files on the server, limiting what I can do to whatever the Splunk web UI. Maybe in the future.
... View more
10-18-2012
01:05 PM
1 Karma
Ah ha, found it. HiddenSearch has a default max event count of 10000. Not sure how to get Splunk to report when that count is hit, but at least a fix is possible:
<param name="eventCount">10000000000000</param>
... View more
10-18-2012
12:41 PM
No, no warnings with that search (on flashtimeline). This is for a pretty small index, FWIW -- 24 hours of results only returns about 74k events. Most of the timechart stuff I do works with much larger data sets.
Is there a way to tell how much is too much to show in a chart? A way to get Splunk to show warnings, etc, on the dashboard?
... View more
10-18-2012
12:34 PM
Thanks. I neglected to look up all the parameters that HiddenChartFormatter takes, ended up focusing on just JSChart and FlashChart.
... View more
10-18-2012
12:06 PM
1 Karma
I am trying to use HiddenSearch and HiddenPostProcess in a few places to re-use the same result set, based on the documentation here: http://docs.splunk.com/Documentation/Splunk/latest/Developer/PostProcess
I'm running in to a serious problem, however: the results appear to be truncated, and silently. I'm looking for 24 hours of results and I'm getting about 4.5 hours worth. Is there a way to a) determine if the HiddenPostProcess module really is discarding results and b) increase the limit, if so?
Here's the source I am using:
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search"><![CDATA[
index=foo sourcetype=foo_bar | rex field=_raw "host=\"(?<realhost>[^\"]+)\"" | fields _time, severity, program, message, realhost
]]></param>
<param name="earliest">-24h</param>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1">
<param name="search"><![CDATA[
search severity<4 | timechart span=5m count by severity
]]></param>
<module name="HiddenChartFormatter">
<param name="chart">area</param>
<param name="primaryAxisTitle.text">time</param>
<param name="secondaryAxisTitle.text">error count</param>
<param name="legend.placement">none</param>
<module name="JSChart">
<param name="width">100%</param>
<param name="height">300px</param>
</module>
</module>
</module>
</module>
... View more
- Tags:
- hiddenpostprocess
10-18-2012
10:35 AM
Is it possible to add a title to a JSChart or FlashChart module? I have read the JSChart/FlashChart documentation and I have tried including a HTML module within the chart module or within its parent HiddenChartFormatter or HiddenPostProcess modules, which can result in the title going to the right place, but also results in Javascript errors ("ReferenceError: Can't find variable: Sideview").
... View more
10-17-2012
02:42 PM
I've re-read it a few times, still not totally sure I'm getting it. If any Splunk staff are watching this I'd ask that they make a simple step 1, 2, 3 guide to accompany the document, heh.
I figure at this point I'll use "collect" to populate the summary index (initially) and then use a scheduled search to continue topping it off. Scheduled searches don't seem to create or populate summary indexes in my installation, so I'll have to work with the support staff directly to figure out why (no errors, query is run according to the inspector, results go nowhere.)
... View more
10-16-2012
04:25 PM
I don't necessarily want to run it repeatedly, but I do want the summary index to be kept up to date with no manual intervention. I figure I'd run something like "index=something sourcetype=something_else | bucket _time span=5m | stats count by _time" with relative times or something.
If collect can append data to the end of an existing summary index, I should be able to do what I need. I'd just need to figure out how to create an index from the web, but that's an unrelated question.
... View more
10-16-2012
04:05 PM
Interesting -- do you know if I could schedule a collect command to run repeatedly, continually filling and topping off the summary index?
... View more
10-16-2012
04:01 PM
The documentation is not very clear on one point: It says you simply run "eventtype = firewall | stop src_ip" and that creates a summary index named "summary". Where did that name come from and what if I want two summary indexes to exist?
... View more
10-16-2012
03:52 PM
I would like to create a few summary indexes in order to run some searches more quickly -- starting with the search in http://splunk-base.splunk.com/answers/59927/improve-speed-of-append -- but I have not found any information on how to do this from the web. A lot of folks talk about using a command line script, but that's currently not an option (and not ideal, especially for re-summary-indexing in case of outages).
... View more
- Tags:
- summary-index
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
