Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About KendallW
KendallW
Path Finder
Member since:
06-12-2018
3 weeks ago
Community Statistics
| Posts | 24 |
| Solutions | 3 |
| Karma Given | 5 |
| Karma Received | 6 |
| Member Since | 06-12-2018 |
Activity Feed
- Karma Re: Count is getting mismatched for the fields after using the mvzip, mvexpand and mvindex commands for bowesmana. a month ago
- Got Karma for Re: Converting global_time to date for lookup file. a month ago
- Got Karma for Re: Compare inputlookup values and look for partial match with a field from search. a month ago
- Posted Re: Splunk DB Connect: Connecting to a Vertica Database and Utilizing an Identity on All Apps and Add-ons. a month ago
- Posted Re: Count is getting mismatched for the fields after using the mvzip, mvexpand and mvindex commands on Splunk Search. a month ago
- Posted Re: Compare inputlookup values and look for partial match with a field from search on Splunk Search. a month ago
- Posted Re: Converting global_time to date for lookup file on Dashboards & Visualizations. a month ago
- Karma Re: How to populate percentage on bar chart for bowesmana. a month ago
- Posted Re: How to populate percentage on bar chart on Dashboards & Visualizations. 04-07-2024 09:33 PM
- Posted Re: Why is field missing in piechart? on Splunk Search. 04-02-2024 05:01 PM
- Karma Re: Why is field missing in piechart? for bowesmana. 04-02-2024 04:58 PM
- Posted Re: Why is field missing in piechart? on Splunk Search. 04-01-2024 11:10 PM
- Posted Re: Datepicker with Submit button on Splunk Enterprise. 04-01-2024 09:59 PM
- Posted Re: How to create graph based on Std deviation & Avg on Splunk Search. 04-01-2024 09:20 PM
- Posted Re: How to create graph based on Std deviation & Avg on Splunk Search. 04-01-2024 08:05 PM
- Posted Re: How can I use login and logout events for specific UserIDs to determine concurrent users at a given time? on Splunk Search. 04-01-2024 07:49 PM
- Posted Re: Store a column of values to a token in dashboard on Dashboards & Visualizations. 04-01-2024 06:18 PM
- Got Karma for Re: Timestamp extraction config (props) is not working. 03-27-2024 06:13 PM
- Got Karma for Re: Splunk ITSI certification. 03-26-2024 03:24 AM
- Karma Re: Getting a count of the number of fields associated with a sourcetype for wrighke. 03-25-2024 10:34 PM
Topics I've Started
No posts to display.
a month ago
Hi @neilgalloway does it give any error when you save the identity? Would you please share a screenshot of the error you are receiving when trying to save the connection using that identity?
... View more
a month ago
Hi @SureshkumarD would it be possible to provide some sample data to go with the search?
... View more
a month ago
1 Karma
Hi @fishn To match the partial string in the lookup (e.g. poda) with the data (e.g. "poda-284489-cs834"), you need to append each of the pod_name_lookup values with a wildcard asterisk, i.e. poda*, podb*, podc* Then, add a lookup definition with the following setting, under the Advanced options checkbox: Then in your search: (where lkp_pod_name is your lookup definition) | lookup lkp_pod_name pod_name_lookup as pod_name --- Next, to show which pods are missing and their importance, you can do it like this: index=abc sourcetype=kubectl
| eval Observed=1
| append
[| inputlookup lkp_pod_name
| eval Observed=0 ]
| lookup lkp_pod_name pod_name_lookup as pod_name OUTPUT pod_name_lookup
| stats max(Observed) as Observed by pod_name_lookup, importance
| where Observed=0 --- Finally, to count how many critical and non-critical pods are not found as well as table the list of missing pods, you can append this line to the above search: | eventstats count as count_by_importance by importance
... View more
a month ago
1 Karma
Hi @vm_molson is the search for the lookup file within the same dashboard, or some other dashboard linked from a drilldown? If it's within the same dashboard, you can simply add something like this to the search for the lookup: | search date<=$global_time.latest$ date>=$global_time.earliest$ However if you want to link to a different search, you might need to go down this route (link) where you would add the variables directly in the URL parameters of the link the user would click on.
... View more
04-07-2024
09:33 PM
Hi @Akmal57, try changing the format of the visualization to stacked
... View more
04-02-2024
05:01 PM
That is so funny I never even thought of that 😄 @Shan could you confirm if @bowesmana's reply answers your question and accept it as the answer if so
... View more
04-01-2024
11:10 PM
I have replicated the issue and here's what I have found Only the top four values will be shown on the pie chart no matter how many fields are present in the table and no matter what value is used in Minimum Size / sliceCollapsingThreshold if there are: six or more fields at least one of them is significantly smaller than the largest number the sum of all values is greater than 64,250 Test it yourself: Run this search and look what happens when you change the value of 'f' from 53138 to 53139 | makeresults
| eval a=1
| eval b=10
| eval c=100
| eval d=1000
| eval e=10000
| eval f=53138
| fields - _time
| transpose
| rename column as Status, "row 1" as count Could someone from Splunk please explain what is going on here, or add this to the known issues?
... View more
04-01-2024
09:59 PM
Hi @alvesri It sounds like the token from the date picker is not plugged in to any searches on the dashboard. The searches should look something like this: <search>
<query>index=someindex sourcetype=somesourcetype</query>
<earliest>$time_tok$</earliest>
<latest>now</latest>
</search> Could you share the dashboard's XML?
... View more
04-01-2024
09:20 PM
Add a space between the two timechart functions. E.g. | timechart avg(event.Properties.duration) stdev(event.Properties.duration) Also, you can remove the | iplocation as we aren't using any of the fields that command adds for this visualization, so it will only slow down the search.
... View more
04-01-2024
08:05 PM
Hi @jaibalaraman try this . . . | timechart avg(event.Properties.duration) stdev(event.Properties.duration)
... View more
04-01-2024
07:49 PM
Hi @purcell12491, check if this answers your question: https://community.splunk.com/t5/Splunk-Enterprise/How-to-distinctively-count-concurrent-users-when-event-has/m-p/492648#M1641
... View more
04-01-2024
06:18 PM
Hi @dyuen You could use outputlookup to store the output of column C in a lookup.
... View more
03-25-2024
09:56 PM
1 Karma
Yes, you can. As per the documentation, there are no prerequisites for the ITSI admin exam: https://www.splunk.com/en_us/training/certification-track/splunk-itsi-certified-admin.html
... View more
03-25-2024
07:39 PM
2 Karma
Hi @dongwonn a few things to check -check the host field in Splunk matches the host:: stanza in your props.conf -Since you are not explicitly specifying a lot of configs, they may be taking default values from other places. Use btool to check the full props settings being applied to this host: $SPLUNK_HOME/bin/splunk cmd btool props list host::x.x.x.21 -Update your TIME_PREFIX to capture the full string before the timestamp beginning at the start of the event, so that Splunk will definitely exclude the preceding timestamps. Example: TIME_PREFIX=^\w{3}\s\d\d\s(\d{2}\:?){3}\s(\d{0,3}\.?){4}\s\w{3}\s\d\d\s(\d{2}\:?){3}\s[\w\s]+\-:\s\[
... View more
03-25-2024
07:10 PM
Hi @sks if you want just the percentage of misses and the percentage of hits, you can do this with eval: | eval Bperc=('B'/(B+C))*100
| eval Cperc=('C'/(B+C))*100 If you want to show this in a chart (e.g. pie chart) you don't need to calculate the percentage as Splunk will do this for you, but you will need to get the values of B and C in the same column using transpose. Example:
... View more
03-25-2024
06:22 PM
Check if this is the same issue: https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-TA-New-Relic-Insight-not-ingesting-data/m-p/528756
... View more
03-25-2024
06:05 PM
Hi @Bujji2023 , I had experienced similar issues when saving the lookup csv file in MS Excel before uploading. This can be fixed by saving the csv file from a text editor instead, making sure to remove any superfluous characters (e.g. quotation marks)
... View more
03-25-2024
05:53 PM
Hi @hassan1214, here's a few things to check to begin troubleshooting this issue: -Are you running the search in Fast Mode? If so, try running it in Smart Mode. -Are any of the winfw fields being extracted? Or only Splunk internal fields? -Check for any parsing issues in the splunkd.log : index=_internal sourcetype=splunkd log_level!=INFO source=*splunkd.log *winfw* The TA uses the following transforms.conf stanza to extract fields. Please check the content of your pfirewall.log matches this format: DELIMS = " "
FIELDS = date,time,win_action,transport,src,dest,src_port,dest_port,size,tcp_flag,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,win_direction
... View more
03-25-2024
05:28 PM
Are you able to check which process is using the inputs.conf file with lsof? You may need to stop Splunk, update the file, then start Splunk again.
... View more
03-25-2024
05:17 PM
Are there any sourcetype parsing issues in the splunkd.log on the receiving indexer/forwarder? index=_internal host=<receiving indexer/forwarder> log_level!=INFO "test"
... View more
03-25-2024
04:50 PM
https://community.splunk.com/t5/Security/Certificate-generation-failed-Splunkd-port-communication-will/m-p/318926#M12902
... View more
03-25-2024
04:46 PM
Would adding "earliest=<24 hours prior to the search time window>" in the subsearch fix this?
... View more
03-25-2024
03:50 PM
How is this data being input to Splunk? You might start by checking the splunkd.log for any parsing errors or warnings. You can also check which props settings are applied to the specific sourcetype using btool on the receiving Splunk indexer/forwarder: $SPLUNK_HOME/bin/splunk cmd btool props list <sourcetype>
... View more
03-25-2024
03:40 PM
First, it might be better to just share the KO to global permissions so it can be seen by users of both apps, rather than to copy the KO to the other app - depending on your use-case. In case that is not feasible, to copy a KO to other apps you have a few options: If there are just a few KOs to be copied, you can do this from the GUI: -Click Settings -> Searches, reports and alerts -search for your KO and click Edit -> Clone, then you can select the app to clone to from the App dropdown list. In case you need to copy KOs in bulk, it is easier to copy the config from the .conf file from one app to the other. You can also use REST to POST configs.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
