Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About IRHM73
IRHM73
Motivator
Member since:
07-08-2015
06-05-2020
Community Statistics
| Posts | 554 |
| Solutions | 23 |
| Karma Given | 58 |
| Karma Received | 41 |
| Member Since | 07-08-2015 |
Activity Feed
- Got Karma for Re: Why am I unable to multiply two fields fields with my current search syntax?. 06-11-2024 10:44 AM
- Got Karma for Re: Append Non Matching Results to Lookup Table. 04-24-2022 05:14 PM
- Got Karma for Re: Stats Values and Count. 11-03-2021 12:34 PM
- Karma Re: Stats Count Eval If for cvssravan. 06-05-2020 12:50 AM
- Karma Re: Stats Count Eval If for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: Subtotals with Sum for woodcock. 06-05-2020 12:50 AM
- Karma Re: Can you help me incorporate my search into a summary Index? for ashajambagi. 06-05-2020 12:50 AM
- Got Karma for Use Timepicker Token With Field. 06-05-2020 12:50 AM
- Karma Re: Stats values Into timechart -- I can't get timechart to work for cmerriman. 06-05-2020 12:49 AM
- Karma Re: Replace First Two Digits for gcusello. 06-05-2020 12:49 AM
- Got Karma for How to display zero count in a stats table?. 06-05-2020 12:49 AM
- Got Karma for Transpose Multiple Column Headers. 06-05-2020 12:49 AM
- Got Karma for Re: Hide/Display Panels Using Multiselect. 06-05-2020 12:49 AM
- Got Karma for Hide/Display Panels Using Multiselect. 06-05-2020 12:49 AM
- Karma Re: How to Update a Lookup Table for DMohn. 06-05-2020 12:48 AM
- Karma Re: Different Results From Similar Queries for somesoni2. 06-05-2020 12:48 AM
- Karma Re: What configuration file contains app version numbers so I can propagate version numbers from GitHub to Splunk? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Why am I getting no results from my saved search with append when I extend the range on the dashboard time picker? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Extract Searches Performed for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Eval If Statement for dwaddle. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-14-2024
05:19 AM
Hello all, This thread was very helpful to me and i described my picked time period in the dashboard panel description . I used the progress tag : <eval token="a1_jobEarliest">strptime($job.earliestTime$,"%Y-%m-%d_%H:%M:%S")</eval>
<eval token="a1_jobLatest">strptime($job.latestTime$,"%Y-%m-%d_%H:%M:%S")</eval>
<set token="a1_jobEarliest">$job.earliestTime$</set>
<set token="a1_jobLatest">$job.latestTime$</set>
However I still get formatting details that I dont need ( underlined in blue are miliseconds) :
... View more
07-29-2022
11:24 AM
Thanks for the reply. But... I gotta say, the syntax for doing multiple joins is very convoluted and not intuitive compared with SQL.
... View more
06-29-2022
11:47 AM
This is a pretty complex problem - part of the puzzle is in the audit log's info="granted" event, another part is in the audit log's info="completed" event, even more of it is over in the introspection index. Then of course for jobs that still exist on the filesystem there is a wealth more info you can get from the rest command or by a custom search command that inspects info.csv and status.csv. I recommend checking out an app that we released recently called Sideview UI - specifically the view within that app called "user_activity". This will do all of this for you, sidestep pretty thorny autokv problems in the audit data, and not just give you all of this per search, but also present stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first. it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/ and there's a #sideview_ui channel for it in the community slack.
... View more
05-16-2021
04:46 PM
Thanks Hegga, This worked for me too. Quick and easy, exactly the way i wanted.
... View more
08-25-2020
04:25 AM
@Ashwini008 refer to another answer by me with couple of workarounds to set the required tokens based on time input selection. One of the uses input change event handler and other one which is more dynamic uses an independent search: https://community.splunk.com/t5/Archive/Running-one-of-two-searches-based-on-time-picker-selection/td-p/364411
... View more
09-06-2019
03:56 AM
You are welcome!
Sometimes you have to think out of the box to get where you want to be 😉
Feel free to accept this answer and help others 🙂
cheers, MuS
... View more
07-18-2019
12:03 AM
Hi, I wonder if someone could help me please.
We're using Enterprise V6.5.7 and we have issues in updating summary indexes using both the 'fill summary' command and scheduled searches (via cron jobs).
The jobs are shown as being run successfully but, the data is not being ingested into the Summary Index, and this is affecting multiple Summary Indexes.
However, when we run the same search in the UI using the 'collect' command, an example of which is:
collect index=summary_dg_allcode marker="report=CoDE2019Data"
The data is ingested correctly into the Summary Index.
I appreciate that the details are sketchy, basically I'm not even sure where to start looking, but I just wondered whether someone may be able to offer some guidance if they've experienced similar issues, and how they've resolved this, and /or whether they can suggest areas to look into, in greater depth?
Many thanks and kind regards
Chris
... View more
05-23-2019
11:46 PM
Hi @FrankVl.
Thank you for taking the time to reply to my message and for the confirmation.
Kind Regards
Chris
... View more
05-16-2019
03:41 AM
Great, earlier I thought that you want area code as number after 350 and 44 & that's why I deleted my answer earlier.
... View more
04-23-2020
11:03 PM
I have been struggling with the same issue... cannot seem to get another panel search to be disabled and stop running. Even when all of the "searchWhenChanged" fields are set to false. https://answers.splunk.com/answers/231685/how-to-disable-a-search-for-a-dashboard-panel.html
... View more
04-03-2019
10:12 AM
Hi @vnravikumar ,
Thank you for coming back to me with this.
The problem is that this needs to have an element which separates the events. At the moment it's putting them all one one row and goes from Field1 Field10 Field 100, whereas I'd like them to be sequential if possible please?
Many thanks and kind regards
Chris
... View more
08-21-2019
02:23 AM
1 Karma
I saw a similar message below
[splunk-idx1] Failed to parse templatized search for field 'tag::eventtype'
This error was caused by following forearch command.
| foreach *
[ eval <<FIELD>> = if(isnull(<<FIELD>>),"",<<FIELD>>)]
I think the <> template cannot handle fields contains special characters. I worked around this by adding | fields - tag::eventtype just before the foreach.
You can probably work around by adding | fields - 'clientHeaders.test-client-device-id{}'
... View more
03-02-2019
10:28 AM
Hi @richgalloway . That makes a huge difference.
I now have the columns I want.....it's great.
I just now need to work out had to incorporate the counts but I think I can work with that.
Thank you so much for all your time and trouble, it's sincerely appreciated.
Kind Regards
Chris
... View more
02-26-2019
12:09 AM
Hi, I found the solution which is:
sum(eval(if(signout="1", "1", "")))
Many thanks to all your suggestions and help.
Kind Regards
... View more
02-22-2019
02:12 AM
1 Karma
Summary indexing is mainly to speed up the searching by filtering the required data which will be fulfilled by using transforming command.
Schedule a report and enable summary indexing on it. You can perform further search on the si data.
... View more
02-21-2019
01:48 AM
Hi @woodcock.
I've been working on this and have got this to work by tweaking the final few lines of the code to:
| eval newtime = newtime . " Total"
| streamstats dc(newtime) AS _serial
| multireport
[ rename newtime AS _newtime ]
[ stats sum(*) AS * first(_serial) AS _serial BY newtime
| rename newtime AS _newtime
| eval ClientID = _newtime ]
| sort 0 BY _serial
| fields - newtime
Many thanks for all your help.
Kind Regards
Chris
... View more
03-04-2019
01:08 AM
I do not have your data so that line helps me fake it. If the solution works, be sure to click Accept to close it and also UpVote any answers or comments that were valuable.
... View more
05-13-2018
07:42 AM
Hi, I wonder whether someone could help me please.
I'm using the following join query which extracts the data perfectly:
`wso2_wmf(RequestCompleted)`
request.detail.Context="individual-*" OR
request.detail.Context="marriage" OR
request.detail.Context="national"
| rename request.detail.applicationClientId as clientId request.detail.Context as api
| join clientId [ | search `application_wmf(RequestReceived)` detail.input="Request to /application"
| spath output=developer input=detail.responseMessage path=name
| rex field=tags.transactionName "clientId\=(?<clientId>[^\W]+)"]
| stats count by developer api
The problem I have is that I no that the Join command is inefficient and my results will be restricted to 50,000 rows.
I know that the best alternative is to use the 'Stats Values' but after trying this using a multisearch and then as OR statement solution as shown below, I have difficulty in bringing together the developer name when using the stats count by api.
(`wso2_wmf(RequestCompleted)`)
request.detail.Context="individual-*" OR
request.detail.Context="marriage" OR
request.detail.Context="national")
( `application_wmf(RequestReceived)`)
Could someone have a look at this please and let me know where I've gone wrong?
Many thanks and kind regards
Chris
... View more
05-10-2018
11:04 PM
Hi, thank you for coming back to me with this.
I didn't know about using the 'report' command in this way.
Many thanks and kind regards
Chris
... View more
04-26-2018
11:25 PM
Hi @kmaron, yes thank you for this.
I've now included the _time but I have issues over the Transpose.
Kind Regards
Chris
... View more
04-26-2018
05:16 AM
All,
I've come up with the following which resolves the issue highlighted in this ticket.
(wso2_wmf(RequestCompleted)) OR (`auth_wmf(RequestReceived)`)
| spath output=afin input=detail.responseMessage path=affinityGroup
| eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
| stats values(afin) as afin, values(request.detail.apiContext) as api by requestid
| search (api="benefits" OR api="employment" OR api="income")
| stats count by afin, api
| transpose 0
| fields - column
Many thanks for all your help.
Regards
Chris
... View more
04-22-2018
12:22 PM
It is still unclear what the "issue" is. It would be crystal clear if you exemplified it as I suggested.
... View more
