Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kjcorbin
kjcorbin
Explorer
Member since:
05-25-2011
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 8 |
| Member Since | 05-25-2011 |
Activity Feed
- Got Karma for SimpleResultsTable ignoring count. 06-05-2020 12:46 AM
- Got Karma for SimpleResultsTable ignoring count. 06-05-2020 12:46 AM
- Got Karma for Re: SimpleResultsTable ignoring count. 06-05-2020 12:46 AM
- Got Karma for Splunk scheduled jobs do not run. 06-05-2020 12:46 AM
- Got Karma for Splunk scheduled jobs do not run. 06-05-2020 12:46 AM
- Got Karma for Pulldown works great for admin, not for other users. 06-05-2020 12:46 AM
- Got Karma for Pulldown works great for admin, not for other users. 06-05-2020 12:46 AM
- Posted Re: Pulldown works great for admin, not for other users on All Apps and Add-ons. 08-12-2011 12:14 PM
- Posted Re: Pulldown works great for admin, not for other users on All Apps and Add-ons. 08-12-2011 11:54 AM
- Posted Re: Pulldown works great for admin, not for other users on All Apps and Add-ons. 08-12-2011 11:15 AM
- Posted Re: Pulldown works great for admin, not for other users on All Apps and Add-ons. 08-12-2011 07:17 AM
- Posted Pulldown works great for admin, not for other users on All Apps and Add-ons. 08-11-2011 02:40 PM
- Tagged Pulldown works great for admin, not for other users on All Apps and Add-ons. 08-11-2011 02:40 PM
- Posted Re: Saved Searches fail to generate PDF attachment for email on Splunk Search. 08-09-2011 08:59 AM
- Posted Re: SimpleResultsTable ignoring count on Splunk Search. 08-01-2011 03:43 PM
- Posted Splunk scheduled jobs do not run on Reporting. 08-01-2011 01:47 PM
- Tagged Splunk scheduled jobs do not run on Reporting. 08-01-2011 01:47 PM
- Tagged Splunk scheduled jobs do not run on Reporting. 08-01-2011 01:47 PM
- Posted Re: SimpleResultsTable ignoring count on Splunk Search. 07-29-2011 01:19 PM
- Posted SimpleResultsTable ignoring count on Splunk Search. 07-29-2011 12:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 2 | |||
| 2 | |||
| 0 |
08-12-2011
12:14 PM
After digging deeper the problem was actually with an automatic lookup that had the incorrect permissions. Sorry to have troubled you, but thanks for all the detailed info.
... View more
08-12-2011
11:54 AM
I performed another test where I removed the post-process from the pulldown and it works. however, the inability to use the prost process in the pulldown means I would need to searches to generate 2 pulldowns.
... View more
08-12-2011
11:15 AM
Unfortunately, even with only one autoRun="True" I am still seeing the error.
It FEELS like it is permission related since it only happens to the non-admin user. admin can run it fine. But the permissions look right. And if I ad admin permissions to the other user they still see the error.
Is there anything permission related that would affect how the pulldown is populated?
I will read up on the link you sent to see if I can get a better understanding of the autoRun feature.
... View more
08-12-2011
07:17 AM
I have updated the original post to include the entire XML. The reason I was thinking it may be drop down related is that when I get the error the pulldown is not populated. This is odd, because if I run the search that I use to populate the pulldown by hand it returns results.
... View more
08-11-2011
02:40 PM
2 Karma
I have a form that uses Sideview utils to populate 2 pulldowns. When I run this as admin it works perfectly. My initial thought was it must be permissions related. However, when I gave this other user admin permissions they still saw the same error.
The error message is [SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results <?xml version='1.0' encoding='UTF-8'?> Error in 'stats' command: The rename value is invalid. .
When the pulldown finishes loading there are no results. I assume that is what is causing this error to appear. WIth out results in the pulldown the substitution should fail. What has me perplexed is why no results are being returned when the same query run by hand works. I have a similar set up on another page and it works correctly. The only difference between the two is this one returns 2 values with the initial search and then does post-processing in the pulldown.
Here is the XML snippet:
<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
<label>Statistic Detail Search Form</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="appHeader" />
<module name="SideviewUtils" layoutPanel="appHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="maxSize">2</param>
<param name="clearOnJobDispatch">False</param>
</module>
<module name="HTML" layoutPanel="viewHeader">
<param name="html"><![CDATA[
<h1>Statistic Detail Search Form</h1>
]]></param>
</module>
<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">index="main" | stats count by ServiceName FullCounterName</param>
<param name="earliest">-4h</param>
<param name="latest">-5m</param>
<module name="Pulldown" autoRun="False">
<param name="name">ServiceName</param>
<param name="size">4</param>
<param name="label">Service Name:</param>
<param name="template">ServiceName="$value$"</param>
<param name="separator">+OR+</param>
<param name="postProcess">dedup $name$ | sort $name$</param>
<param name="outerTemplate">( $value$ )</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">ServiceName</param>
<param name="value">ServiceName</param>
</list>
</param>
<module name="Pulldown" layoutPanel="panel_row2_col1">
<param name="name">FullCounterName</param>
<param name="staticFieldsToDisplay"></param>
<param name="size">1</param>
<param name="label">Counter Name:</param>
<param name="template">$value$</param>
<param name="postProcess"> dedup $name$ | sort $name$</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">FullCounterName</param>
<param name="value">FullCounterName</param>
</list>
</param>
<module name="Pulldown" layoutPanel="panel_row2_col1" >
<param name="name">time_bucket</param>
<param name="label">Time Bucket Size </param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">30 Minutes</param>
<param name="value">30m</param>
</list>
<list>
<param name="label">60 Minutes</param>
<param name="value">60m</param>
</list>
<list>
<param name="label">90 Minutes</param>
<param name="value">90m</param>
</list>
<list>
<param name="label">3 hours</param>
<param name="value">3h</param>
</list>
<list>
<param name="label">6 Hours</param>
<param name="value">6h</param>
</list>
<list>
<param name="label">12 Hours</param>
<param name="value">12h</param>
</list>
<list>
<param name="label">24 Hours</param>
<param name="value">24h</param>
</list>
</param>
<module name="TimeRangePicker" layoutPanel="panel_row2_col1">
<param name="searchWhenChanged">True</param>
<param name="selected">Last 4 hours</param>
<param name="label">Time Frame:</param>
<module name="Search" autoRun="False">
<param name="search">source="msmetrics socket" $ServiceName$ FullCounterName="$FullCounterName$"|bin _time span=$time_bucket$ | stats sum(CounterValue) as "$FullCounterName$" by _time ServiceName
</param>
<module name="JobProgressIndicator"></module>
<module name="PostProcess">
<param name="search">timechart sum($FullCounterName$) as "$FullCounterName$" by ServiceName</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="charting.chart.nullValueMode">connect</param>
<param name="primaryAxisTitle.text">time</param>
<param name="secondaryAxisTitle.text">Value</param>
<param name="legend.placement">top</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">400px</param>
</module>
</module>
</module>
<module name="Pager">
<param name="entityName">results</param>
<module name="SimpleResultsTable">
<param name="displayRowNumbers">True</param>
<param name="entityName">results</param>
<param name="count">30</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
... View more
08-09-2011
08:59 AM
Was this ever resolved. I am having a similar issue where libfontconfig.so.1 is not found by firefox-bin under firefox-i386. However firefox-bin under firefox-x86_64 is able to find the library correctly. So it lok slike for some reason pdf server is always trying to use the 32 bit version even when the os is 64 bit.
However, at this point I am pretty stuck since there appears to be no way to configure pdf server to use the 64 bit version of firefox.
... View more
08-01-2011
03:43 PM
I ended up solving this by adding the totals to the original query. However, because I was sharing the search node with other charts that were displaying averages and top usage I had to exclude the Totals from the data on the other post-process steps.
I did this by adding:
search NOT ServiceName="Totals" |
... View more
08-01-2011
01:47 PM
2 Karma
I have many jobs scheduled to run on a regular basis in splunk, some every 30 minutes some every 5 minutes. Today, for no obvious reason, two of the jobs stopped running. I have tried unscheduling and rescheduling the jobs and even diasabling and re-enabling them. But still the time for the jobs comes and goes and no job is fired. If I look in the jobs list I see no records for these jobs.
Has anyone seen this happen before? Is there somewhere I can look to see if the jobs are failing for some reason?
thanks,
Keith
... View more
07-29-2011
01:19 PM
1 Karma
yes I am sure, if I run the same search outside of the dashboard I can see all results and totals correctly.
... View more
07-29-2011
12:01 PM
2 Karma
I have search and post-process that is returning a data table. The post process adds column totals to the table. The problem is the totals are not showing up. It appears the issue is with the SimpleResultsTable it is only displaying 19 rows even though the count and maxLines values are set to 25. If I sort the table my count descending the totals show up at the top so it looks like the totals are generating, but you cannot see them when the dashboard loads because the SimpleResutlsTable is seemingly choosing and arbitrary number of rows to show. If I remove the count line the results returns to 10 rows as I would expect. So I am not sure it is only showing 19 rows when the count is set to 25.
<module name="HiddenSavedSearch" layoutPanel="panel_row6_col1" autoRun='True'>
<param name="savedSearch">7_day_summary</param>
<param name="useHistory">True</param>
<module name="HiddenPostProcess" layoutPanel="panel_row6_col1" group="Full Data">
<param name="search"> addcoltotals label=Totals labelfield=ServiceName|fields ServiceName PlayHours PlayErrorsTotal OtherErrors Tracks Search Browse Households | rename ServiceName as "Service Name"|rename PlayHours as "Play Hours" PlayErrorsTotal as "Play Errors" OtherErrors as "Other Errors" Households as "Unique Households"</param>
<module name="JobProgressIndicator"/>
<module name="SimpleResultsTable">
<param name="count">25</param>
<param name="maxLines">25</param>
<param name="drilldown">all</param>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="label">View Results</param>
</module>
</module>
... View more
07-21-2011
10:19 AM
I have the following search which outputs summarized data in 4 hours chunks perfectly:
source="MySocket" NOT ServiceName="Private Service"| eval search = if(eventtype="search",CounterValue,0)|eval browse = if(eventtype="browse",CounterValue,0)|eval tracks = if(eventtype="tracks",CounterValue,0)|eval play_seconds_val = if(eventtype="play_seconds",CounterValue,0)| eval play_error_val = if(eventtype="play_errors",CounterValue,0) | eval play_error_adj_val = if(eventtype="play_error_adjusted",CounterValue,0)| eval play_errors_total = play_error_val - play_error_adj_val | eval browse_errors=if(eventtype="browse_error",CounterValue, 0) | eval search_errors=if(eventtype="search_error",CounterValue, 0)| eval other_errors = search_errors + browse_errors|bin _time span=4h | stats sum(search) as Search sum(browse) as Browse sum(tracks) as Tracks sum(play_seconds_val) as PlaySeconds sum(other_errors) as OtherErros sum(play_errors_total) as PlayErrorsTotal distinct_count(HouseholdId) as Households by _time ServiceName
However when I try to use HiddenPostProcess with this to generate different charts and single value fields I am getting invalid field errors.
Here are a couple examples of what I am trying to do with prost process:
stats sum(Households) - this is for a single value field it fails saying illegal
timechart span=1d sum(play_seconds_val) by ServiceName useother="f" - for a chart, produces no results
timechart span=1d PlaySecnds by ServiceName useother="f" - for a chart, errors saying it must be in the form <func>(<field>)
I cannot do the summarization step in post processing because the search will return more than 10,000 results. Does anyone have any idea how to accomplish this?
Thanks in advance,
Keith
... View more
- Tags:
- postprocess
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
