Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About seanmylne
seanmylne
New Member
Member since:
07-03-2015
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-03-2015 |
Activity Feed
- Posted Re: time picker on Splunk Search. 01-13-2018 01:47 AM
- Posted Re: time picker on Splunk Search. 01-12-2018 09:41 AM
- Posted Re: time picker on Splunk Search. 01-12-2018 09:38 AM
- Posted Re: time picker on Splunk Search. 01-10-2018 01:37 PM
- Posted time picker on Splunk Search. 01-09-2018 01:21 PM
- Tagged time picker on Splunk Search. 01-09-2018 01:21 PM
- Tagged time picker on Splunk Search. 01-09-2018 01:21 PM
- Posted Count identical messages as a total value in the results on Splunk Search. 10-03-2015 07:57 AM
- Tagged Count identical messages as a total value in the results on Splunk Search. 10-03-2015 07:57 AM
- Tagged Count identical messages as a total value in the results on Splunk Search. 10-03-2015 07:57 AM
- Tagged Count identical messages as a total value in the results on Splunk Search. 10-03-2015 07:57 AM
- Posted Re: Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 10-03-2015 07:31 AM
- Posted Re: Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 07-04-2015 04:06 AM
- Posted Re: Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 07-04-2015 12:58 AM
- Posted Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 07-03-2015 01:51 PM
- Tagged Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 07-03-2015 01:51 PM
- Tagged Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 07-03-2015 01:51 PM
- Tagged Hi all, i have been trying to figure out how to use timechart with percentages. I have the following command which gives me the percentages but have not sucessfully able to use this with timechart. on Splunk Search. 07-03-2015 01:51 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-13-2018
01:47 AM
Hi micahkemp
This is what i have - which errors with invalid earliest time.
SM_Test
<query>
<![CDATA[| makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)]]>
</query>
<done>
<condition match="'job.resultCount' == 1">
<set token="earliest7">$result.earliest7$</set>
<set token="latest7">$result.latest7$</set>
</condition>
</done>
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<table>
<title>xyz</title>
<search>
<query>host="xxx-xxx-xxx" sourcetype="alarm_metric" |spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" $earliest$ $latest$ | spath "Message.SourceApp" | search "Message.SourceApp"=xyz | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
<earliest>$earliest7$</earliest>
<latest>$latest7$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
Thanks
Sean
... View more
01-12-2018
09:41 AM
Hi micahkemp,
Thanks for the advice. However i can not actually get it work. Not sure what i am missing but i either get invalid start time or waiting for input when i am trying to get it to work.
Thanks
Sean
... View more
01-12-2018
09:38 AM
Hi nyabykh,
Even with it explained a little bit more i can not get either to work. I have tried various permutations of following both advice but either getting waiting for input or invalid start time.
Thanks
Sean
... View more
01-10-2018
01:37 PM
Hi Nryabykh,
Thanks for the reply. tbh i tried it with and without the m and could not get it to play 😞
I have also tried to add your suggestions but without success. I have added my panel and start of the form:-
SM_Test
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<init>
<set token="earliest7">$result.$earliest7$</set>
<set token="latest7">$result.$latest7$</set>
</init>
<panel>
<table>
<title>Test App</title>
<search>
<query>makeresults | addinfo | eval earliest7=info_min_time-7*24*3600, latest7=if(info_max_time="+Infinity", now()-7*24*3600, info_max_time-7*24*3600)
host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=earliest7$ latest=latest7$ | spath "Message.SourceApp" | search "Message.SourceApp"=xxxx
| eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000
| table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000
| table _time spath, host elapsed | eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
Using the above i get an error stating "Search is waiting for input...."
Not sure where i am going wrong.
Thanks
Sean
... View more
01-09-2018
01:21 PM
Hi guys,
I am trying to show 2 tables - one for the time frame using a time-picker and one search for the same time frame but for 7 days ago.
Below is my query using field1 as my time picker.
Below is my "query" in my dashboard.
host="xxx-xxx-xxx" sourcetype="alarm_metric" ealiest=$field1.earliest$-86400m latest=$field1.ealiest$-86385m
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)"
| eval elapsed = elapsed/1000 | table _time spath, host elapsed | eval ReportKey="This Time 7 Days Ago" | append [search host="xxx-xxx-xxx" sourcetype="alarm_metric" earliest=$field1.earliest$ latest=$field1.latest$
| spath "Message.SourceApp" | search "Message.SourceApp"=xxxx | eval spath='Message.EventMessage' | rex field=spath "took (?P<elapsed>\S+)" | eval elapsed = elapsed/1000 | table _time spath, host elapsed
| eval ReportKey="Today"] | chart count by elapsed span=1 ReportKey
I am using count and not timechart so cannot use timewrap as i want to show a count of response times 0-1, 2-3 and so on.
Thanks
Sean
... View more
10-03-2015
07:57 AM
Hi guys,
What i would like to do is display as a count the number of times an identical message is seen in the Message.EventMessage field. If there was only one hit in the logs display 1.
So far my code only shows count = 1 even tough i have multiple identical messages 😞
I would also like to display when the message was last seen in the logs too, but this does not seam to work so have given up on that for now, unless anyone knows how this can be done using what I have pasted below?
Message.EventMessage="* has been flagged *" | stats Count list(Message.EventMessage) AS Name by _time Message.EventMessage | eval "First Seen"=_time | convert timeformat="%H:%M:%S:%3N %d/%m/%Y" ctime("First Seen") | dedup Message.EventMessage| table "First Seen", Name, Count
Thanks
Sean
... View more
10-03-2015
07:31 AM
Hi Martin,
I changed it slightly to suit my needs but many thanks for your help.
index=alarm* host="" Message.EventCategory="Error" OR "ERROR" | stats count as Error| eval Events= [search "" | stats count as search] | eval "Error Percentage" = (Error/Events)*100 | fields Events Error "Error Percentage"
... View more
07-04-2015
04:06 AM
Hi Martin,
It appears that my version of Splunk (5.0.5, build 179365) will not work with tstats as this was introduced in version 6.
I have amended the search as below:
index=* host="*" Message.EventCategory="Error" OR "ERROR" | timechart count as Error | appendcols [stats count by _time |
timechart count] | eval "Error Percentage" = error / count * 100 | fields Error Count Percentage
but this only brings back results for the errors 😞
... View more
07-04-2015
12:58 AM
Hi Martin,
Thanks for the quick reply. I have tried to run this but it throws the following error:-
Error in 'TsidxStats': Missing 'FROM' keyword to specify namespace.
I am still looking at this but do you have any ideas?
Thanks
Sean
... View more
07-03-2015
01:51 PM
index=alarm* host="" Message.EventCategory="Error" OR "ERROR" | stats count as Error| eval Events= [search "" | stats count as search] | eval "Error Percentage" = (Error/Events)*100 | fields Events Error "Error Percentage"
Any helps would be very welcome.
Thanks
Sean
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
