×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
bruno_eduardo
Path Finder
Member since: ‎10-01-2014
‎06-05-2020
Community Statistics
Posts 24
Solutions 1
Karma Given 15
Karma Received 2
Member Since ‎10-01-2014
Activity Feed
Topics I've Started
View All

Re: How Can I do a simple line graph?

by in Dashboards & Visualizations
‎01-10-2022 02:45 PM
‎01-10-2022 02:45 PM
Can someone explain exactly what is happening when using untable?   ... View more

Re: Convert this time format to epoch and simple d...

by in Splunk Search
‎04-26-2016 06:23 AM
‎04-26-2016 06:23 AM
Assuming you have a field called my_time , try this: | rex field=my_time mode=sed "s/ BRST$/ -0200/" | eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z") | eval _time = my_time_epoch We need to modify the timezone because Splunk does not recognize BRST . ... View more

Re: How to transform this date format from 2015141...

by Splunk Employee in Splunk Search
‎12-14-2015 11:15 PM
1 Karma
‎12-14-2015 11:15 PM
1 Karma
Perfectly valid approach. A quick test shows that eval/strptime is about 30% faster (on my laptop) when comparing to rex/sed with a query against a little over 100k sample events, so if efficiency is important, I would consider that. If you want to test in your environment, try ... | eval myDate = strftime( subname, "%Y-%m-%d") It won't help you in your quest to learn more about the rex command, though. 🙂 ... View more

Re: How to get results only from the last source f...

by in Getting Data In
‎11-14-2017 04:33 AM
1 Karma
‎11-14-2017 04:33 AM
1 Karma
Yes!! In my case I have solved with head comand: index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |... ... View more

Re: Is it possible to use Splunk DB Connect 2 with...

by SplunkTrust in All Apps and Add-ons
‎11-10-2015 01:06 PM
‎11-10-2015 01:06 PM
Hi bruno_eduardo, see the docs http://docs.splunk.com/Documentation/DBX/2.0.6/DeployDBX/Prerequisites about this, it says: Splunk DB Connect has not been tested and is not supported with Splunk Cloud, Splunk Free, or Splunk Light. cheers, MuS ... View more

Re: How to |addtotals on a |stats list result?

by in Splunk Search
‎10-26-2015 01:51 PM
‎10-26-2015 01:51 PM
I tested this method and added the addtotals command...it works well enough: index="Test" | stats count by "Event Category", "Threat Type" | stats sum(count) as Total list("Threat Type") as "Threat Type" list(count) as Count by "Event Category" | addtotals col=t fieldname=Total label=TOTAL labelfield="Event Category" | table "Event Category" "Threat Type" "Count" "Total" ... View more

Re: Lookup - How to compare and remove events from...

by in Splunk Search
‎05-09-2018 12:10 PM
‎05-09-2018 12:10 PM
It worked, thank you for your help. ... View more

Re: How to Add a button on a dashboard panel which...

by SplunkTrust in All Apps and Add-ons
‎11-28-2014 02:59 PM
‎11-28-2014 02:59 PM
Use the HTML element, for example like this: <row> <panel> <chart> ...your regular panel content goes here... </chart> <html> <a href="your url here">your text here</a> </html> </panel> </row> ... View more

Re: How do I change the color of a pie graphic for...

by in Splunk Search
‎11-24-2014 06:40 AM
‎11-24-2014 06:40 AM
Disregard, just read further on that link and found why. Now to figure out how to use that masterLegend property I guess. ... View more

Re: How to do operations with dates fields?

by SplunkTrust in Splunk Search
‎11-04-2014 04:58 AM
1 Karma
‎11-04-2014 04:58 AM
1 Karma
Hi bruno_eduardo, I would compare epoch times not human readable time stamps. So something like this will do it: ... | eval now_time=now() | convert mktime("Resolution Period") AS Resolution_Period | where Resolution_Period > now_time | table Resolution_Period regarding the future timestamp you can try this: ... | eval future_time=relative_time(now(), "+15d") | ... this will return an epoch timestamp as well. hope this helps .... cheers, MuS ... View more

Re: How to compare field values ​​in two different...

by in Splunk Search
‎10-01-2014 04:15 PM
3 Karma
‎10-01-2014 04:15 PM
3 Karma
Have you tried using the command 'set' like so: set diff [index=A* source="AB*" | rename "Field A" as name | eval name=lower(name)| fields name] [search index=B* |eval name=lower(name) | fields name] and set intersect [index=A* source="AB*" | rename "Field A" as name | eval name=lower(name)| fields name] [search index=B* |eval name=lower(name) | fields name] For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Set ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to