cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
mthomas_splunk
Splunk Employee
Member since: ‎01-14-2018
‎05-31-2024
Community Statistics
Posts 11
Solutions 3
Karma Given 2
Karma Received 12
Member Since ‎01-14-2018
Activity Feed
View All

Re: Any way to get the name of the scheduled searc...

by Splunk Employee in Reporting
‎05-31-2024 07:54 AM
‎05-31-2024 07:54 AM
All you need is: | eval Name_Of_Search="$name$"   This is documented at https://docs.splunk.com/Documentation/Splunk/9.2.1/Alert/EmailNotificationTokens  ... View more

Re: How to search inverter column?

by Splunk Employee in Dashboards & Visualizations
‎06-08-2022 09:18 AM
‎06-08-2022 09:18 AM
This will implement the manipulation, as per your example. Generate sample data: | makeresults 1 | eval _raw="column_a=aaa,column_b=bbb,column_c=ccc,column_d=ddd,column_e=eee,column_f=fff,column_g=ggg" | extract | fields - _raw _time _kv Manipulate data: | eval column_e=column_e."_-_".column_d."_-_".column_c."_-_".column_b."_-_".column_a | fields - column_a, column_b, column_c, column_d | transpose column_name=name | rename "row 1" AS value | rex field=value "(?<value>.*)_-_(?<column_d>.*)_-_(?<column_c>.*)_-_(?<column_b>.*)_-_(?<column_a>.*)" | filldown | table column_a, column_b, column_c, column_d, name, value ... View more

Re: How to get a comma separated List

by Splunk Employee in Splunk Search
‎06-30-2020 09:28 AM
2 Karma
‎06-30-2020 09:28 AM
2 Karma
To generate the source data, I used:   | makeresults count=1500 | streamstats count | eval email="email"+count+"@email.com" | fields - _time, count   then to combine it, it used:   | mvcombine email delim="," | nomv email   Which results in:   email1@email.com,email2@email.com,email3@email.com,email4@email.com,email5@email.com,email6@email.com,emai....   Alternatively, you can use the following to leave the email addresses in separate  events:   | reverse | streamstats count | eval email=if(count>1,email+",",email) | fields - count | reverse   which results in:   email1@email.com, email2@email.com, email3@email.com, email4@email.com, ... email1499@email.com, email1500@email.com   Hopefully one of those does what you're after? ... View more

Re: How to use ingest-eval when filename always ch...

by Splunk Employee in Splunk Enterprise
‎06-29-2020 04:20 AM
‎06-29-2020 04:20 AM
INGEST_EVAL can be used for many different purposes. I believe in this case, you are wanting to take a timestamp from the file name, and use it for each event ingested. You also want the logic to ignore "prod-x-" (where 'x' is a positive integer). The following entry in your transforms.conf should do the trick:    INGEST_EVAL = _time=strptime(replace(source,"(^.*(?=/)/prod-\d+-|\.txt$)",""),"%d%m%Y%H%M%S")   ... View more

Re: How can I combine timestamp in the filename pl...

by Splunk Employee in Splunk Enterprise
‎04-02-2019 03:31 AM
‎04-02-2019 03:31 AM
This is possible in Splunk Enterprise 7.2, making use of the new ingest-time eval. Full documentation is at https://docs.splunk.com/Documentation/Splunk/latest/Data/IngestEval. Example File Name: xxx_20181127_175823.txt File Name Format: xxx_%Y%m%d_%H%M%S.txt props.conf [mysourcetype] TRANSFORMS=timestampeval transforms.conf [timestampeval] INGEST_EVAL = _time=strptime(replace(source,"(^.*(?=/)/|\.txt$)","").substr(_raw, 9, 3),"xxx_%Y%m%d_%H%M%S%Q") This does the following: Takes the the "source" metadata value (which is the path and file name) Removes the path and .txt extension (this leaves the "xxx", date and hours, minutes seconds of the time) Concatenates the 3 characters from the raw event (the milliseconds) Converts the string to a timestamp All events in the file will have the same day, month, year, hour, minute, second from the file name, but then milliseconds will be from the individual event. ... View more

Re: How do you extract a timestamp from a filename...

by Splunk Employee in Getting Data In
‎04-02-2019 02:35 AM
2 Karma
‎04-02-2019 02:35 AM
2 Karma
This is possible in Splunk Enterprise 7.2, making use of the new ingest-time eval. Full documentation is at https://docs.splunk.com/Documentation/Splunk/latest/Data/IngestEval. Example File Name: Log_I15_13092018183001.txt File Name Format: Log_I15_%d%m%Y%H%M%S.txt props.conf [mysourcetype] TRANSFORMS=timestampeval transforms.conf [timestampeval] INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/",""),"Log_I15_%d%m%Y%H%M%S.txt") This takes the "source" metadata value (which is the path and file name), removes the path, then extracts the date and time from the filename. All events in the file will have the same _time when imported. ... View more

Re: How to extract the timestamp from a filename a...

by Splunk Employee in Splunk Search
‎04-02-2019 02:18 AM
‎04-02-2019 02:18 AM
I downvoted this post because although correct at the time, this answer is no longer accurate ... View more

Re: Find the delta between first logins and last l...

by Splunk Employee in Splunk Search
‎01-28-2019 09:33 AM
1 Karma
‎01-28-2019 09:33 AM
1 Karma
The following 6 lines of SPL produce the raw dataset you used in your stackoverflow question: | makeresults count=1 | eval data="Login,1|Login,2|Logout,1|Logout,2|Logout,3|Logout,4|Login,3|Logout,5|Login,4|Login,5|Logout,6|Login,6|Logout,7|Logout,8" | makemv delim="|" data | mvexpand data | rex field=data "(?<action>[^\,]+),(?<action_number>\d+)" | fields - _time, data The logic below to produces the required result. Loosely speaking, it: Keeps a count of the active sessions (streamstats) Ensures this does not go below zero (streamstats, eval) Works out the next action (reverse, streamstats) Uses logic based on session count, current action and next action to decide whether you need to use this event in your calculations (eval) SPL: | eval actiontype=if(action=="Login",1,-1) | streamstats reset_after="("session_count<\"0\"")" sum(actiontype) AS session_count | eval session_count=if(session_count==-1,0,session_count) | reverse | streamstats current=f global=f window=1 max(actiontype) AS next_actiontype | eval "Flag for Deletion"=if(session_count>1 OR (session_count==0 AND next_actiontype==-1) OR (session_count==1 AND actiontype==-1),"True","False") | reverse | fields action, action_number,"Flag for Deletion" ... View more

Re: How to use date in filename as the timestamp f...

by Splunk Employee in Getting Data In
‎01-09-2019 05:33 AM
3 Karma
‎01-09-2019 05:33 AM
3 Karma
This is possible in Splunk Enterprise 7.2, making use of the new ingest-time eval. Full documentation is at https://docs.splunk.com/Documentation/Splunk/latest/Data/IngestEval. Example File Name: Log_I15_13092018.txt File Name Format: Log_I15_%d%m%Y.txt _time value assigned to events: 13/09/2018 00:00:00.000 props.conf [mysourcetype] TRANSFORMS=timestampeval transforms.conf [timestampeval] INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/",""),"Log_I15_%d%m%Y.txt") This takes the "source" metadata value (which is the path and file name), removes the path, then extracts the date from the filename. The time defaults to 00:00:00. All events in the file will have the same _time when imported. ... View more

Re: How to extract the timestamp from a filename a...

by Splunk Employee in Splunk Search
‎01-09-2019 05:00 AM
4 Karma
‎01-09-2019 05:00 AM
4 Karma
This is possible in Splunk Enterprise 7.2, making use of the new ingest-time eval. Full documentation is at https://docs.splunk.com/Documentation/Splunk/latest/Data/IngestEval. Example File Name: Log_I15_13092018183001.txt File Name Format: Log_I15_%d%m%Y%H%M%S.txt props.conf [mysourcetype] TRANSFORMS=timestampeval transforms.conf [timestampeval] INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/",""),"Log_I15_%d%m%Y%H%M%S.txt") This takes the "source" metadata value (which is the path and file name), removes the path, then extracts the date and time from the filename. All events in the file will have the same _time when imported. ... View more

Will the Nest Add-on for Splunk work on Windows 10...

by Splunk Employee in All Apps and Add-ons
‎01-14-2018 04:06 PM
‎01-14-2018 04:06 PM
There is no suggestion on https://splunkbase.splunk.com/app/3214/ that the Nest Add-on for Splunk is expected to work on Windows 10 - I'm just wondering if this would be possible? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-31-2024 11:15 AM
Karma from
Karma given to
View All