Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About greggz
greggz
Communicator
Member since:
11-07-2017
06-05-2020
Community Statistics
| Posts | 69 |
| Solutions | 2 |
| Karma Given | 8 |
| Karma Received | 7 |
| Member Since | 11-07-2017 |
Activity Feed
- Karma Re: How to AutoRefresh dashboards only through Javascript for niketn. 06-05-2020 12:49 AM
- Karma Re: How to AutoRefresh dashboards only through Javascript for niketn. 06-05-2020 12:49 AM
- Karma Re: How to AutoRefresh dashboards only through Javascript for niketn. 06-05-2020 12:49 AM
- Karma Re: Splunk Dashboard Examples - Table Row highlighting bug ? for niketn. 06-05-2020 12:49 AM
- Karma Re: foreach with mvexpand to iterate over server fields and perform an expansion for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How to EXTRACT regex expression in props.conf? for micahkemp. 06-05-2020 12:49 AM
- Karma Re: Assigning sourcetype to a source in HeavyForwarder props.conf is not working for somesoni2. 06-05-2020 12:49 AM
- Got Karma for Html label aligning labels with checkboxes. 06-05-2020 12:49 AM
- Got Karma for Re: How to AutoRefresh dashboards only through Javascript. 06-05-2020 12:49 AM
- Got Karma for Re: How to AutoRefresh dashboards only through Javascript. 06-05-2020 12:49 AM
- Got Karma for Re: How to AutoRefresh dashboards only through Javascript. 06-05-2020 12:49 AM
- Got Karma for Re: How to AutoRefresh dashboards only through Javascript. 06-05-2020 12:49 AM
- Got Karma for Re: How to AutoRefresh dashboards only through Javascript. 06-05-2020 12:49 AM
- Got Karma for How can I include an HTML in the footer when sending an email through Splunk infrastructure?. 06-05-2020 12:49 AM
- Karma Re: Where can I find my sourcetype definitions? for kristian_kolb. 06-05-2020 12:46 AM
- Posted How to implement SideViewUtils views in your dashboards on All Apps and Add-ons. 05-25-2018 06:30 AM
- Posted Why is the Form.token getting overrode by default value in Checkbox while duplicating tabs? on Dashboards & Visualizations. 04-16-2018 10:34 AM
- Tagged Why is the Form.token getting overrode by default value in Checkbox while duplicating tabs? on Dashboards & Visualizations. 04-16-2018 10:34 AM
- Tagged Why is the Form.token getting overrode by default value in Checkbox while duplicating tabs? on Dashboards & Visualizations. 04-16-2018 10:34 AM
- Posted Re: How can I include an HTML in the footer when sending an email through Splunk infrastructure? on Reporting. 04-13-2018 01:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-25-2018
06:30 AM
Hello,
I've read the docs and searched a bit online, inclusive found out about "Advanced XML" and I'm kinda confused here since my history with Splunk is fairly recent.
I have dasboards made with SimpleXml, and I want to implement the "static Tabs" SideViewUtils provides. How can I implement it in my app, in a step by step tutorial ?
Sorry if this is obvious, but reading trough the app I was really confused. Thanks for your time
... View more
04-16-2018
10:34 AM
So using a Checkbox of this sort
<input type="checkbox" token="showservices" searchWhenChanged="true">
<label></label>
<choice value="Service">Show services</choice>
<default></default>
</input>
It's unchecked by default. And if you check it and then duplicate the tab, it still maintains the form.token value (Checked), meaning, it does not get overrode.
<input type="checkbox" token="showservices" searchWhenChanged="true">
<label></label>
<choice value="Service">Show services</choice>
<default>Service</default>
</input>
If I do it like this (Notice I changed the default value), and then uncheck it and try to duplicate it, it will appear as checked in the new tab!! ( Meaning the default value overrode the form.token value )
Why does it behave like this? Why doesn't the form.token value gets prioritized?
... View more
04-13-2018
01:33 AM
@niketnilay For some reason that parameter didn't work for me, it didn't overwrite the default.
... View more
06-11-2018
05:22 AM
Would have been great if you've added some code to work on. Maybe it's just a small typo...
... View more
03-16-2018
09:57 AM
In my experience with Splunk 6.6.x, the time fields applied via collect will default to the value of info_min_time , which is the earliest time of the search window. This is consistent with the documentation about collect.
I've had good luck using the addtime=false option with collect. You might play with that and see if it works for you. I've had conversations with other folks for whom it didn't work, but we weren't able to trace the root cause.
... View more
02-19-2018
10:17 AM
Answer updated
Please accept and upvote any comment which helped you.
Thanks
... View more
02-09-2018
08:27 AM
No.. they're above 400. This is the reason I don't use KV_MODE=AUTO because it has a 100 limit max extractions. The can be alphanumerical aswell or have only symbols
... View more
02-07-2018
10:02 AM
1 Karma
It looks okay, but just to be sure I'd write it as (?<Property>[^=]+)=(?<Value>.+)
... View more
04-12-2020
11:15 AM
@greggz if the workaround resolved your issue please accept to mark this question as answered.
... View more
01-24-2018
08:56 AM
@greggz if you are on Splunk Enterprise 6.6 or higher you can try the Trellis layout.
For Splunk Enterprise 7.0 or higher you can also add Compare Series option to compare how various stats are trending through timechart command and hover to see individual values at specific time.
Following is a run anywhere dashboard examples based on Splunk's _internal index( I have created some dummy data for various stats, they are not necessarily accurate) and used component instead of host as per your use case.
Following is the Simple XML code:
<dashboard>
<label>Compare Trend for multiple stats</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO component!="ConfContentsCache"
| timechart count as request_count count(eval(log_level=="ERROR")) as error_count sum(date_second) as total_duration by component limit=20 useother=f</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="height">700</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">seriesCompare</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
</dashboard>
... View more
01-24-2018
02:59 AM
No it's not helping, I sort by host and _time because I need one host at the specific time for all distinct hosts. This code pulling in values from other times to the same host giving false values
... View more
01-19-2018
06:51 AM
1 Karma
All of the solutions I've seen online don't work in a splunk dashboard. I've tried plenty of options but still no avail. Do you guys have any working solution ?
... View more
01-18-2018
08:35 AM
So apparently, matched inside the foreach is still 0. Something like Lazy Evaluation, but I don't really know. Anyway.. this works
foreach UF* [eval matched = if(like('<<FIELD>>',valMask),matched+1,matched)] | eval Property = if(matched>=1,Property,null)
... View more
01-04-2018
09:17 AM
Btw man, what can I do if I want to override a sourcetype that I have already assigned ? Example:
For a ".cnf" file I assign a generic sourceType. But sometimes in those files, it comes XML written and I wanted to assign a new sourcetype with "KV_MODE = xml". Any ideas, like a Regex searching inside the file and alert me for a XML match and then assign that very XmlSourceType ? Thanks
... View more
12-29-2017
09:36 AM
@kamlesh_vaghela Thanks for your answer, but I know I can do it with Js. Maybe I should have specified that I was looking for a solution in the SimpleXML realm 🙂
... View more
12-29-2017
04:32 AM
What is the time frame of the base search?
If I understand what you’re trying to do, try something like this:
index=mock_index host=* source="server.cnf" |table watt* host | append [search index=mock_index host=* source="server.cnf" earliest=-6mon|table watt* host ] | stats values(*) as * by host| transpose column_name=Property header_field=host 50
The append will add all the results to the bottom of the dataset is the base search and then use stats to join them together on host. You could use latest or other commands instead of values. This is just to give you another idea to accomplish what I think you’re going after. It should give you all results not in the base search as well as in the base search.
... View more
12-19-2017
12:54 PM
I just added the working query to main answer.
... View more
12-07-2017
07:53 AM
@niketnilay ♦ My pleasure! Btw you migth not need to get the PostProcessManagers, cause I think when you start the Parent Search , the children searches will automattically start aswell. All the best 😉
... View more
12-04-2017
07:50 AM
And here I was just complicating everything. Thanks sir
... View more
