Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About aguthrie1190
aguthrie1190
Path Finder
Member since:
03-22-2018
08-07-2020
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 4 |
| Member Since | 03-22-2018 |
Activity Feed
- Got Karma for Re: How to extract key, field name, and value with regex?. 09-08-2020 08:34 AM
- Karma Re: How do I show more fields after the stats count by command? for mtranchita. 06-05-2020 12:50 AM
- Got Karma for Re: How do I show more fields after the stats count by command?. 06-05-2020 12:50 AM
- Got Karma for Is there a way to add forwarder to a deployment class automatically?. 06-05-2020 12:50 AM
- Got Karma for Re: How to extract key, field name, and value with regex?. 06-05-2020 12:48 AM
- Karma Re: [indexer] Streamed search execute failed because: User 'nobody' could not act as: for my2ndhead. 06-05-2020 12:46 AM
- Karma Re: [indexer] Streamed search execute failed because: User 'nobody' could not act as: for jhupka. 06-05-2020 12:46 AM
- Posted Re: How to show more than 50 events on a page in 7.x ? on Splunk Search. 08-02-2019 12:04 PM
- Posted Re: How do I show more fields after the stats count by command? on Splunk Search. 05-23-2019 02:03 PM
- Posted Re: How do I show more fields after the stats count by command? on Splunk Search. 05-23-2019 01:49 PM
- Posted Re: How to attain a list with all the fields in which a certain string appears? on Splunk Search. 05-23-2019 01:37 PM
- Posted Re: How to extract key, field name, and value with regex? on Splunk Search. 02-07-2019 02:03 PM
- Posted Re: Is there a way to add forwarder to a deployment class automatically? on Getting Data In. 10-05-2018 06:05 AM
- Posted Is there a way to add forwarder to a deployment class automatically? on Getting Data In. 10-04-2018 06:37 PM
- Tagged Is there a way to add forwarder to a deployment class automatically? on Getting Data In. 10-04-2018 06:37 PM
- Tagged Is there a way to add forwarder to a deployment class automatically? on Getting Data In. 10-04-2018 06:37 PM
- Tagged Is there a way to add forwarder to a deployment class automatically? on Getting Data In. 10-04-2018 06:37 PM
- Tagged Is there a way to add forwarder to a deployment class automatically? on Getting Data In. 10-04-2018 06:37 PM
- Posted Re: How can I create a subsearch with multiple time ranges? on Splunk Search. 03-26-2018 07:53 PM
- Posted Re: How can I create a subsearch with multiple time ranges? on Splunk Search. 03-23-2018 06:54 AM
Topics I've Started
08-02-2019
12:04 PM
I'm not sure how supported this change is. But you can change the values in these two files:
/opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/search.js
/opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/common.js
Look for this JSON block:
{value:"10",label:("10 per page").t()},{value:"20",label:("20 per page").t()},{value:"50",label:_("50 per page").t()}
And add additional values to it:
{value:"10",label:("10 per page").t()},{value:"20",label:("20 per page").t()},{value:"50",label:("50 per page").t()},{value:"100",label:("100 per page").t()}
This code appears multiple times in each file, so you'll have to replace it each time.
... View more
05-23-2019
02:03 PM
When you do count by , stats will count the times when the combination of fields appears together, otherwise it will throw away the field if it is not specified in your by argument.
Say you have this data
1 host=host1 field="test"
2 host=host1 field="test2"
And my search is:
* | stats count by host field
I'll have 2 results, each with the count of 1. One result for host1, test and one result for host1, test2.
What does your data look like, if you have a lot of unique events, stats may not be the best way to characterize your data.
... View more
05-23-2019
01:49 PM
1 Karma
index=wineventlog EventCode=4740 host=* | stats count by Account_Name Field1 Field2 | sort - count
That should add Field1 and Field2 to your results
... View more
05-23-2019
01:37 PM
| makeresults count=4 | streamstats count | eval field1=if(count<3,"A",0) | eval field2=if(count>3,"A",0) | eval field3=if(count==3,"A",0) | eval field4=0
| eval field_list=""
| foreach * [eval field_list=if(match(<<FIELD>>,"A"),field_list+" "+"<<FIELD>>",field_list)]
| makemv delim=" " field_list
| mvexpand field_list
| dedup field_list
| fields field_list
Make results just makes some data to work with. Then we make an empty field list, that we will append field names to if they match your string. So match(<<FIELD>>,"A") will evaluate as true when the CONTENT of the field matches "A". Then field_list+" "+"<<FIELD>> will append the NAME of the field to field_list. Otherwise the if statement just returns the previous field_list.
After that line it's just some data manipulation. | makemv delim=" " field_list will turn all your space delimited field_list variables into multivalues, mvexpand expands them all to their own event, then dedup gets rid of the duplicates.
Hope that helps!
... View more
02-07-2019
02:03 PM
2 Karma
Late to the party here, but I had a similar need to this and saw that this question hadn't been answered. Basically do your extractions, then use {} in an eval to have a variable fieldname.
| gentimes start=-2
| eval _raw="extract"+starttime+" this"+endtime
| rex field=_raw "(?<field_name>extract[0-9]+)\s(?<field_value>this[0-9]+)"
| eval {field_name}=field_value
Then if you care, you can get rid of the placeholder fields:
| gentimes start=-2
| fields - *human
| eval _raw="extract"+starttime+" this"+endtime
| rex field=_raw "(?<field_name>extract[0-9]+)\s(?<field_value>this[0-9]+)"
| eval {field_name}=field_value
| fields - field_name field_value
These searches should run anywhere. The idea came from here https://answers.splunk.com/answers/103700/how-do-i-create-a-field-whose-name-is-the-value-of-another-field-like-backticks-or-eval-in-other-languages.html.
... View more
- Tags:
- rex
10-05-2018
06:05 AM
This definitely seems doable, thank you.
... View more
10-04-2018
06:37 PM
1 Karma
I'm looking to setup a deployment server in my environment. However, I can't seem to find the answer to this question in the docs so far, maybe someone can help.
Can I add a forwarder to a particular class from the forwarder itself? Either in a conf file on the forwarder or via an API call to the deployment server would work for my use case. Honestly, anything I can automate would work, but I don't want to get too hacky 🙂
We have servers installed weekly, so I want them to automatically get a list of "server classes" without me having to go through the GUI on the deployment server to add each new server to it's appropriate classes. I found that I can automatically add a server to the deployment server through a script with
splunk set deploy-poll IP_address:management_port
splunk restart
But then it seems like I have to go to the deployment server GUI to set up the forwarder after it's added. Is there a similar call from the forwarder to join a server class or a set of server classes?
If I can clarify the question at all, let me know.
... View more
03-26-2018
07:53 PM
Unfortunately that doesn't do the trick. But I'm definitely going to start using multisearch, that seems like a lot simpler solution than append.
Still, when I format that string into a subsearch, it pulls the times outside of each of the individual searches.
[| gentimes start=-3
| eval earliest=starttime
| eval latest=starttime+30
| eval search="*"
| fields search earliest latest
| format "| multisearch [search" "" "" "" "] [search" "]"
| rex field=search mode=sed "s/\"//g"
| rex field=search mode=sed "s/'/\"/g"]
leads to this error:
Error in 'multisearch' command: Invalid argument: '_time>=1522022400.000'
And this is from logs for what it's actually searching in the subsearch:
litsearch | multisearch [search ] [search ] [search ] _time>=1522022400.000 _time<1522022430.000
| fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
| remotetl nb=300 et=1522022400.000000 lt=1522022430.000000 remove=true max_count=1000 max_prefetch=100
So that _time>=1522022400.000 _time<1522022430.000 bit is messing up the subsearch.
... View more
03-23-2018
06:54 AM
This seems like it is a bug. I've made a simpler search to show the behavior.
This works:
[| gentimes start=-1
| eval search="* earliest=-5m"]
This doesn't work:
[| gentimes start=-1
| eval search="* earliest=-5m | append [ search * earliest=-20m latest=-15m ]"]
... View more
03-23-2018
05:53 AM
That should get you every log for the 20 seconds between midnight and 00:00:20 for the last three days. If you want to limit that to just a specific string:
[ | gentimes start=-3
| eval earliest=starttime
| eval latest=starttime+20
| eval search="call_start"
| fields search earliest latest
| format "index=notAnIndex earliest=-1m | append [search" "" "" "" "] | append [search" "]"
| rex field=search mode=sed "s/\"//g"]
If you remove the brackets, you can see that the search is formatted properly. If you look at the job inspector it appears that the earliest/latest times are stripped from the subsearch
... View more
03-23-2018
05:50 AM
[ | gentimes start=-3
| eval earliest=starttime
| eval latest=starttime+20
| eval search="*"
| fields search earliest latest
| format "index=notAnIndex earliest=-1m | append [search" "" "" "" "] | append [search" "]"
| rex field=search mode=sed "s/\"//g"]
... View more
03-23-2018
05:41 AM
You can replace "My search here" with the search "*" to see the behavior. I'm using "call_start" as that's a frequently seen log in my system.
The idea is to take the output of gentimes, get a lot of 30 second slices going back many days, and then append each of those 30 second slices together to get a picture of what happens historically.
I'm using Splunk 6.4.0 in production, I tried this in a lab in 7, and it didn't error out with the same error message, but the same behavior was seen in the job inspector.
... View more
03-23-2018
05:13 AM
Can you expand a little? I don't know where you meant for me to put that. I added it to the beginning of the format section, so that the subsearch would output the append at the beginning, but unfortunately that did not work.
... View more
03-22-2018
08:26 PM
I'm trying to write a subsearch that searches multiple sections of time. What I have works until I wrap it in brackets for the subsearch. Here is what I have so far:
| gentimes start=-3
| eval earliest=starttime
| eval latest=starttime+20
| eval search="My search here"
| fields search earliest latest
| format "index=notAnIndex earliest=-1m | append [search" "" "" "" "] | append [search" "]"
| rex field=search mode=sed "s/\"//g"
This returns this search string:
index=notAnIndex earliest=-1m
| append [search earliest=1521504000 latest=1521504020 My search here ]
| append [search earliest=1521590400 latest=1521590420 My search here ]
| append [search earliest=1521676800 latest=1521676820 My search here ]
I have to use append instead of OR's because using OR will search the whole time frame between the earliest and latest time specified, which defeats the purpose of this. If I copy and paste the returned search string into a new search, it works great. If I wrap the original search in brackets, I get this error:
Error in 'append' command: The last argument must be a subsearch.
Looking through the job inspector, I can see that my earliest and latest times are being stripped out of the search. And then the error is probably from that _time that is tacked on to the end of the subsearch
litsearch index=notAnIndex
| append [search My search here ]
| append [search My search here ]
| append [search My search here ] _time>=1521676800.000 _time<1521676820.000
| fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
| remotetl nb=300 et=1521676800.000000 lt=1521676820.000000 remove=true max_count=1000 max_prefetch=100
This seems like a bug, but maybe I just don't understand how the subsearch is supposed to work here. Has anyone found a way to make something like this work?
... View more
