Activity Feed
- Karma How to decrease the size of a legend text or increase the legend width? for zugji. 06-05-2020 12:47 AM
- Karma Re: How do I change the color of a pie graphic for each unique value? for tom_frotscher. 06-05-2020 12:47 AM
- Karma Why am I getting a limited number of events returned using the join command? for lbogle. 06-05-2020 12:47 AM
- Karma Re: How to compare field values in two different indexes to see which match and do not match? for sk314. 06-05-2020 12:47 AM
- Karma Re: How to |addtotals on a |stats list result? for Runals. 06-05-2020 12:47 AM
- Karma Re: How to |addtotals on a |stats list result? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: How to get results only from the last source file? for woodcock. 06-05-2020 12:47 AM
- Karma Re: How Can I do a simple line graph? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Lookup - How to compare and remove events from the search? for chaker. 06-05-2020 12:47 AM
- Karma Re: Lookup - How to compare and remove events from the search? for somesoni2. 06-05-2020 12:47 AM
- Got Karma for How to compare field values in two different indexes to see which match and do not match?. 06-05-2020 12:47 AM
- Got Karma for How Can I do a simple line graph?. 06-05-2020 12:47 AM
- Karma Legend area width for lain179. 06-05-2020 12:46 AM
- Karma Simple eval + stats count by 2 fields not working for the_wolverine. 06-05-2020 12:46 AM
- Karma Re: Simple eval + stats count by 2 fields not working for the_wolverine. 06-05-2020 12:46 AM
- Karma Re: Simple eval + stats count by 2 fields not working for shikhanshu. 06-05-2020 12:46 AM
- Karma How to hide refresh time value in simple XML for Single Value Panel? for chrisdopuch. 06-05-2020 12:46 AM
- Posted Convert this time format to epoch and simple date format on Splunk Search. 04-14-2016 07:29 AM
- Tagged Convert this time format to epoch and simple date format on Splunk Search. 04-14-2016 07:29 AM
- Tagged Convert this time format to epoch and simple date format on Splunk Search. 04-14-2016 07:29 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
04-14-2016
07:29 AM
I have a time in the format of:
Dec 23, 2015 11:45:26 BRST
I'm trying to convert this to epoch time and later to a simple date format (dd/mm/year). Can anyone lend a hand?
Thanks!
... View more
12-14-2015
12:47 PM
Hi,
I am getting the input source file date from the name of the file itself (sourcefilename20151412.csv), like this:
index="radius" |eval subname=substr(source,14,8) |top subname |table subname
result: 20151412
I want to transform this time format from 20151412 to 2015-14-12
Is it possible with rex ? I would like know more about rex.
Thanks
... View more
11-23-2015
06:57 AM
Sorry it worked, without the |reverse, look:
index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]
this bring myu before last source file events.
Thanks
... View more
11-23-2015
06:48 AM
That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.
... View more
11-20-2015
09:30 AM
Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.
... View more
11-20-2015
08:34 AM
But I mean before last source file only
... View more
11-20-2015
07:56 AM
What about the Before Last?
... View more
11-20-2015
07:44 AM
Thanks!!!!
... View more
11-20-2015
07:12 AM
Hi,
I got an index which continuously receive new source file automatically, what I want is to my search to only return events from the last source file. Should be something simple but I did not figure it out, maybe with the |head command.
... View more
11-10-2015
12:36 PM
Hi,
For the first version of the DB Connect I know it is not possible, but what about Splunk DB Connect 2?
... View more
10-26-2015
01:15 PM
Thanks, Why I can't vote for more than one answer?
... View more
10-26-2015
01:14 PM
Thanks, Why I can't vote for more than one answer?
... View more
10-26-2015
12:45 PM
Hi Everyone,
I would like to add a row, about a total (sum), for each segment list (see the picture), and if a list has only one value than there is no need to show a total. (only if possible)
here is what I got:
index="Test" |stats count by "Event Category", "Threat Type" |stats list("Threat Type") as "Threat Type" list(count) as Count by "Event Category"
Using |addtotal doesn't work at all.
... View more
10-08-2015
06:18 AM
I Got it:
index="Servers" NOT [|inputlookup lookup_name | fields Server_Name] |table Server_Name
First you need to import the .csv file on Settings --> Lookups --> Add New --> Lookup File and the Lookup Definition
The important thing is: the field name must be the same.
Thanks
... View more
10-07-2015
08:14 AM
Sorry, but I still can't do it, there was no accepted answer on those posts.
What I am trying to do is:
index=* |fields Server_Name NOT [|inputlookup LookUpTable.csv append=f| fields Server_Name_To_Be_Removed] |Table Server_Name
But is not working
... View more
10-07-2015
07:12 AM
I need to remove a list of servers from my search. This list changes once a month so I thought of using a lookup table. Is it possible? How can I do it?
So in my index, there is a field Server_Name, and on my lookup table there is a field Server_Name_To_Be_Removed. What I need is to compare both fields and remove the events that match value of this field.
Index=Servers MyBaseSearch NOT Compared_Equal_Server_Name_To_Be_Removed=Yes
... View more
09-29-2015
12:33 PM
I got it: | sort str(Months) desc
Thank you very much, could you please explain every step?
One more thing, you forgot to put 's' on """""| chart first(Value) over Month"""", can you correct?, is better if someone falls here.
... View more
09-29-2015
12:03 PM
That is it!!! well almost, the only thing is: How can I change the order of the months? because, right now is like August -> July -> June!! need to be June -> July -> August.
... View more
09-29-2015
08:28 AM
1 Karma
Hi,
How Can I do a simple line graph, here is an example:
I got four Fields ( Fruits, June, July, August), like this
and I want on XAxis( June, July, August) and each fruit must be a serie, like this:
So there is no time fields on this one, so probably I need to use |chart
... View more
11-28-2014
08:14 AM
Hello,
I would like to know how to customize a little bir more one of my dashboards.
How to Add a button on a dashboard panel which directs to another dashboard or URL?
... View more
11-24-2014
05:35 AM
I have a Risk field with this possible values (Critical, High, Medium, Low) and I want to be red when critical, high is purple, yellow medium and green low.
I would like to do this in the query itself, if it is not possible , let´s do it on xml!!!
Here is the xml:
<chart>
<title>Severidade - Vulnerabilidades Vencidas</title>
<searchString>index="patches" earliest=@d latest=now Estado=Vencida OR Estado=Expired NOT Descripci_xF3n="EHT*" NOT Title="EHT*" NOT GrupoName2="DS - PROJETOS" | stats count by Risk</searchString>
<earliestTime>0</earliestTime>
<latestTime>now</latestTime>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
Thanks in advance
... View more
11-04-2014
04:21 AM
Got a date field that I would like to return only events that were within a specific range, from today to 15 days in the future.
To get today:
|eval timenow=now() |eval nowstring=strftime(now(),"%d/%m/%Y %H:%M:%S")
|table nowstring
04/11/2014 10:35:59
My date field is already like this:
|table "Resolution Period"
27/01/2014 23:59:59
But when I try a simple search like this:
|where "Resolution Period" > nowstring |table "Resolution Period"
I still got all events, unfiltered. Do I need to change something on the "Resolution Period"??
And How to return only events that were within a specific range, from today to 15 days in the future.???
Thanks in advance
... View more
10-01-2014
10:45 AM
1 Karma
How to compare field values in different indexes? which returns "match" and "not match"
Same as vlookup functionality of Excel.
By using | join I get the "match" one, but how to can I get "not match"???
index=A* source="AB*" | rename "Field A" as name | eval name=lower(name) | join type=inner name [search index=B* |eval name=lower(name) |table name | sort name] | table name |sort name
... View more
