Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jeck11
jeck11
Path Finder
Member since:
06-10-2015
2 weeks ago
Community Statistics
| Posts | 41 |
| Solutions | 0 |
| Karma Given | 12 |
| Karma Received | 2 |
| Member Since | 06-10-2015 |
Activity Feed
- Posted Re: Rex match if else style on Splunk Search. 2 weeks ago
- Posted Rex match if else style on Splunk Search. 2 weeks ago
- Posted Using subsearch results to loop through another search? on Splunk Search. 11-03-2022 07:34 AM
- Posted Get notice when rotation change in Splunk On-Call on All Apps and Add-ons. 05-09-2022 06:50 AM
- Tagged Get notice when rotation change in Splunk On-Call on All Apps and Add-ons. 05-09-2022 06:50 AM
- Tagged Get notice when rotation change in Splunk On-Call on All Apps and Add-ons. 05-09-2022 06:50 AM
- Posted Re: Field Extraction on Splunk Search. 11-10-2021 11:01 AM
- Karma Re: Field Extraction for ITWhisperer. 11-10-2021 11:01 AM
- Posted Re: Field Extraction on Splunk Search. 11-10-2021 10:52 AM
- Posted Re: Field Extraction on Splunk Search. 11-10-2021 09:55 AM
- Posted Re: Field Extraction on Splunk Search. 11-10-2021 09:54 AM
- Posted Field Extraction on Splunk Search. 11-10-2021 08:40 AM
- Posted Re: convert pivot table into stats on Splunk Search. 08-03-2021 10:53 AM
- Karma Re: convert pivot table into stats for ITWhisperer. 08-03-2021 10:53 AM
- Posted convert pivot table into stats on Splunk Search. 08-03-2021 09:07 AM
- Tagged convert pivot table into stats on Splunk Search. 08-03-2021 09:07 AM
- Posted When will the new dashboard system be released? on Dashboards & Visualizations. 03-02-2021 05:56 AM
- Karma Re: Field Extraction is capturing too much for FrankVl. 06-05-2020 12:50 AM
- Karma Re: How to sort a chart based on a sum? for oscar84x. 06-05-2020 12:50 AM
- Karma Re: How to sort a chart based on a sum? for oscar84x. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
Unfortunately, there are two different rules at play. One needs everything after the URL and the other only needs the URI which is a service name. That's what I've been struggling with.
... View more
2 weeks ago
Here are three lines of the file to illustrate what I'm going for: Line from file Desired field URI : https://URL.net/token token URI : https://URL.net/rest/v1/check rest/v1/check URI : https://URL.net/service_name/3.0.0/accounts/bah service_name I have successfully extracted the 3rd example using this: rex field=_raw "URI.+\:\shttp.+\.(net|com)\/(?<URI_ABR>.+)\/\d+\." That does not match the other two though so no field is extracted. Is there a way to say if it doesn't match that regex then capture till the end of line? I've tried this but then the 3rd example also captures everything till the end of the line: rex field=_raw "URI.+\:\shttp.+\.(net|com)\/(?<URI_ABR>.+)(\/\d+\.|\n)"
... View more
Labels
- Labels:
-
rex
11-03-2022
07:34 AM
I have been reviewing the countless other postings on subsearches but I can't pull them all together to figure out our issue.
This first search builds a list of carts that we need to find the contents of:
index="name" "Authorization was not successful!" AND /placeorder
| rex field=_raw "/carts/(?<cart>.+)/placeorder" | dedup cart | table cart
This is where I run into issues. I need to take the table created in that search and find all of the items contained in them. Here is the search for a single cart from that list:
index="name" "3322830131/processCheckout" AND "\"paymentProvider\":\"PayPal\""
My thought is that I need to cycle through the table from the subsearch, replacing the number in this search, then finally building a visualization that shows the contents of each cart using the most recent event in the second search. Am I way off? This seems pretty easy but I can't figure it out. TYIA
... View more
Labels
- Labels:
-
subsearch
05-09-2022
06:50 AM
We have transitioned from ServiceNow calendaring for on-call to Splunk On-Call. Our users are used to getting an email the week before they go on-call and then again as they're entering their on-call week. Is there a way to notify people when it's their on-call week?
... View more
Labels
- Labels:
-
other
11-10-2021
11:01 AM
I'm a moron. I just copied yours over and it worked. Thanks for sticking with me. I'll mark it as the answer.
... View more
11-10-2021
10:52 AM
I just updated the original post with screenshot. Do they help clarify the issue?
... View more
11-10-2021
09:55 AM
The search syntax that I included is working fine. I'm trying to define it as a field extraction and that's where it's pulling in too much. Thanks though.
... View more
11-10-2021
09:54 AM
The rex command is already working in the search time extraction. I'm trying to define it as a field extraction and that is where it's pulling back too much. Thanks though.
... View more
11-10-2021
08:40 AM
This has been asked a million times. I've been digging through the various postings but haven't figured out what I'm doing wrong. I'm able to do a search time extraction using the rex command to get a field exactly the way I want it. But then when I try to add it to the field extractors, it's including too much information. I need to extract the LINK_TARGET value from the event below but the USER details are also being included in the field extractor setup. Hopefully my redactions don't make this impossible for gurus to assist. Search command: index="index" search_term | rex field=_raw "LINK_TARGET\s:\s(?<link_target>.*)\n" Data: 2021-11-10 16:03:14.631 INFO [blah] [Country=US] [User=user] [ip] [DefaultLynxMetricsLogger] [blah] [blah] Metrics logging start: key blah_SEARCH_ORIGIN
LINK_TARGET : https://www.blah.com/en_US/blah?utm_source=copy&utm_medium=blah&utm_campaign=blah
USER : 9999999
Metrics logging end
... View more
Labels
- Labels:
-
field extraction
08-03-2021
09:07 AM
Hi everyone, I have a very basic search outputting two types of entries into a field called "event". I need to get a count of each type per hour. I've been able to get the view I want using the pivot but don't really want to burden the system maintaining the data model if I don't need to. So here's my question: How can I create a table (assuming using stats) to show two rows (one for each type) and columns for each hour's total (descending)? Desired format: Desired format using pivot Current output when I try to use stats: Current stats output
... View more
- Tags:
- stats
Labels
- Labels:
-
stats
03-02-2021
05:56 AM
Hi everyone, I know no one knows for sure but just looking for any possible details anyone may have heard. I have been playing with the new dashboard beta but don't want to roll it out to all of our users until it's GA so they don't have to redo any work. Has anyone heard when it will be coming out of beta?
... View more
Labels
- Labels:
-
other
01-29-2020
08:54 AM
index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*)
| eval date_wday=strftime(_time,"%F")
| chart dc(user) as "Splunkers" by date_wday
Thank you! The strftime is the key for getting the data I needed.
... View more
01-23-2020
10:30 AM
That broke it down more granularly than I was looking for. I updated the question with an example chart.
... View more
01-23-2020
08:55 AM
I feel like an idiot because this should be simple. I'm trying to get a basic graph showing unique user logins per day for our Splunk Cloud environment. This search came from the "Utilization Monitor for Splunk" app and I thought it would be as easy as adding "by day" to the stats segment but that didn't work.
index=_audit user!="splunk-system-user" user!="N/A" user=* host=* NOT (action=log* info=fail*) | stats dc(user) as "Splunkers"
If I were the only user to log in and I only work mon-fri then I would expect the chart to be something like 0,1,1,1,1,1,0.
Can someone please point out what I'm missing before I lose the little hair I have left?
... View more
- Tags:
- splunk-cloud
- user
01-06-2020
01:15 PM
Hello everyone,
I have a self-service dashboard running in our Splunk Cloud V6.2 environment which displays indexed amount over time from a summary index that's populated by a saved search. Users have noticed that the chart seems to be sorting by month & day but ignoring year. Is this related to the latest date processing bug that was identified at the end of last year? I went through the remediation steps but maybe something was missed.
I am using this search:
index=corp_splunk_license_details $index_tok$ | eval Volume_gb = round(volume_gb,3) | chart sum(Volume_gb) as "Amount Indexed (GB)" by day, orig_index
... View more
12-13-2019
06:45 AM
1 Karma
Hi @oscar84x - I've been trying to change it. How can I unselect the other one and switch it to yours?
... View more
12-12-2019
08:43 AM
Perfect! TY.
The color-coding is nice for quickly identifying which index is which but using your code sorted it. The only tweak I made was to reverse it.
index=corp_splunk_license_details day="12-11-2019"
| eval Volume_gb = round(volume_gb,3)
| chart sum(Volume_gb) as "Amount Indexed (GB)" by orig_index
| sort - "Amount Indexed (GB)"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
Karma given to
