×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
steinroardahl
Observer
Member since: ‎10-13-2017
‎04-24-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-13-2017
Activity Feed
View All

How to build a dataset far back in time with incre...

by in Deployment Architecture
‎02-18-2019 02:19 AM
‎02-18-2019 02:19 AM
Hi, I admit, it sounds like a standard search procedure, but I save aggregated data in a csv file. At the same time, I do not want to build the dataset in a long search due to large resource consumption. I would like to carry out the procedure as follows: 1. Define a start date 2. Define an end date 3. Define a step by step search, let's say 5 minute steps The process will start with an empty csv file. First run searches up the information from start date and 5 minutes back in time. The information is written to the csv file with the append and the outputlookup command. Next run starts from the start date - 5 minutes. Finding information appends this to the csv file. Next run starts from start -10 minutes. Finding information .. As you can see, I want to build a dataset with a step-by-step process from a given start date to an end date back in time. How do I do this? ... View more

Re: How to split multiply case number in same fiel...

by in Splunk Search
‎01-15-2018 07:18 AM
‎01-15-2018 07:18 AM
It`s work perfectly mayurr98 🙂 ... View more

How to split multiply case number in same field?

by in Splunk Search
‎01-15-2018 12:48 AM
‎01-15-2018 12:48 AM
Hi fellow splunkers! I have a transaction that return case number in several scenarios. That is working perfectly where event has one case number. My chalenge is a application delete bulk function. My query with regex is matcing case number, but is returning all bulk case number in same field. Query: ... | transaction pid maxspan=1s startswith=eval(match(_raw,"Processing TicketMultiactionController")) endswith=eval(match(_raw,"Completed")) Output: jan 15 08:55:02 10.246.31.18 xx[11138]: Processing TicketMultiactionController#update (for 172.18.209.36 at 2018-01-15 08:55:02) [POST] Jan 15 08:55:02 10.246.31.18 xx[11138]: Parameters: {"multiaction_idbox"=>" **344411 344409 344407**", "scope"=>"", "multiaction_markasdeleted"=>"1", "multiaction_owner"=>"", "multiaction_parentticket"=>"", "multiaction_monitor"=>""} Example: casenr = 344411 344409 344407 How can I change this to "split" this deleted number into one event each ? Regards SRD ... View more

Re: If statment is not returning value with evalua...

by in Splunk Search
‎01-09-2018 11:42 PM
‎01-09-2018 11:42 PM
Hi, is this true all sow with eventtypes? ... View more

If statment is not returning value with evaluate a...

by in Splunk Search
‎01-03-2018 10:07 AM
‎01-03-2018 10:07 AM
Hi, i'am trying to evaluate a tag value like this: eval X=if(tag="NY",_time,"1") I have trying everything and stuck in the mud. Anybody? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-24-2024 08:33 AM