Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kaeleyt
kaeleyt
Path Finder
Member since:
07-10-2019
12-11-2023
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 6 |
| Karma Received | 4 |
| Member Since | 07-10-2019 |
Activity Feed
- Karma Re: Calculated Field Reassignment in the UI for richgalloway. 12-11-2023 10:58 AM
- Got Karma for Re: Add colors to a table for dynamic columns. 10-24-2023 07:47 AM
- Posted Re: Bug: Unable to Reassign Knowledge Objects with colons in the name on Knowledge Management. 04-14-2023 12:29 PM
- Got Karma for Re: Add colors to a table for dynamic columns. 07-27-2022 05:19 AM
- Posted Re: Bug: Unable to Reassign Knowledge Objects with colons in the name on Knowledge Management. 08-11-2021 02:49 PM
- Posted Re: Bug: Unable to Reassign Knowledge Objects with colons in the name on Knowledge Management. 07-27-2021 07:47 AM
- Posted Re: Bug: Unable to Reassign Knowledge Objects with colons in the name on Knowledge Management. 07-22-2021 02:04 PM
- Posted Bug: Unable to Reassign Knowledge Objects with colons in the name on Knowledge Management. 06-25-2021 01:03 PM
- Karma Re: Possible bug with changing permission on source based field extraction for darius_diederic. 06-08-2021 09:31 AM
- Karma Re: Possible bug with changing permission on source based field extraction for kaurinko. 06-08-2021 09:31 AM
- Got Karma for Re: Add colors to a table for dynamic columns. 05-21-2021 12:44 AM
- Posted Calculated Field Reassignment in the UI on Splunk Enterprise. 03-03-2021 10:28 AM
- Got Karma for Re: Timechart Table with "No results found". 09-10-2020 03:34 PM
- Karma Re: Timechart Table with "No results found" for yeahnah. 09-10-2020 08:17 AM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-10-2020 08:16 AM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-08-2020 02:09 PM
- Posted Re: Timechart Table with "No results found" on Splunk Search. 09-08-2020 09:35 AM
- Posted Timechart Table with "No results found" on Splunk Search. 09-01-2020 02:02 PM
- Tagged Timechart Table with "No results found" on Splunk Search. 09-01-2020 02:02 PM
- Tagged Timechart Table with "No results found" on Splunk Search. 09-01-2020 02:02 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-14-2023
12:29 PM
I had a similar thing happen. Mine was closed and I was told to post on Splunk Ideas. Here's the post in case anyone wants to upvote it: https://ideas.splunk.com/ideas/EID-I-854 Seems based on one reply that is was supposedly "under investigation" but that was 2 years ago and still seems to be an issue in 9.0.4. I'm the team member responsible for managing this type of thing for all of the teams who use our enterprise wide Splunk environment but do not have the access/permissions to use a lot of the solutions people are suggesting on this thread so it's still a bit frustrating that we have objects owned by users who left the company 4 years ago.
... View more
08-11-2021
02:49 PM
UPDATE: I have actually noticed that Data Models can't be reassigned either as they also don't show up here
... View more
07-27-2021
07:47 AM
The fix they recommended to me was to use the REST method. Our team does not want to use this since that is not ideal in a clustered environment. I can update this thread if anything comes from the bug investigation that was submitted. Fingers crossed it gets updated in a future version because the UI method is so much more convenient 🤞
... View more
07-22-2021
02:04 PM
That actually isn't true.... I can re-assign all other "non-search" objects from the "All configurations" page: props-extract (except for source based or ones with sourcetypes with colons.... see examples below) transforms-extract views transforms-lookup macros eventtypes fvtags fieldaliases workflow-actions The only thing missing completely is calculated fields which I cannot reassign from this UI which doesn't seem to make sense when we can reassign all other objects from the UI. I can reassign all other extracted fields and field transformations from the UI. The only ones that I cannot reassign are the ones that are source-based or are sourcetype based with a colon in the sourcetype name. Sourcetype example: Sourcetype: wineventlog:taskscheduler Name: WinEventLogTaskScheduler-EventCode103Message Regex: Task Scheduler failed to launch action \"(?P<FailedAction>[^\"]+)\" in instance \"\{(?P<FailedInstance>[^\"]+)\}\" of task \"(?P<Task>[^\"]+)\"\. Additional Data\: Error Value\: (?P<ErrorValue>[^\.]+)\. Field Extraction Name: wineventlog:taskscheduler : EXTRACT-WinEventLogTaskScheduler-EventCode103Message ***Please note the colon in the sourcetype name Source example: ***I don't have a good source example that I would be able to post on here but for a fake example: Source: this/is/a/pretend/source.log Name: Destination Regex: ^\w+\s\d+\s\d{2}:\d{2}:\d{2}\s(?<dest>\S+) Field Extraction Name: source::this/is/a/pretend/source.log : EXTRACT-Destination ***Note that splunk adds the "source::" before the source.... I think the colons may be conflicting I don't know for sure that the colon is the issue since I don't know how Splunk does the reassignment behind the scenes but based on some extensive testing I've done in my own environment (running on 8.1.3) this seems to be a common denominator.... I do have a bug investigation open with support to look into this issue.
... View more
06-25-2021
01:03 PM
Hi fellow Splunkers! I am an admin for our Splunk Enterprise Environment and when we have users on any of the teams that we support leave their teams or leave the company we try to stay on top of reassigning the knowledge objects that they owned to a current member of that team. We do this from the UI because we run 2 clustered environments with 3 SH's each.We reassign these objects by navigating to Settings > All configurations > Reassign Knowledge Objects I have come across an issue where I am unable to reassign field extractions with colons in their name. Examples: wineventlog:security : EXTRACT-WindowsSecurityFields source::/var/opt/jfrog/artifactory/logs/request.log : EXTRACT-Action When I attempt to reassign these I get the following error: Has anyone else run into this? Has anyone found a solution (other than reassigning these from the back end)? Any feedback is appreciated!
... View more
Labels
- Labels:
-
field extraction
-
other
03-03-2021
10:28 AM
Hi Splunk Community, I noticed that in the "All configurations" menu in the Splunk UI (Settings > All configurations) that calculated fields are missing. We have been using the "All configurations" page to reassign objects once we have finished developing them for our various tenants but I haven't been able to figure out how to reassign calculated fields We are on version 8.0.3 in case that's relevant. Anyone have any idea how to reassign calculated fields in the UI?
... View more
Labels
- Labels:
-
other
09-10-2020
08:16 AM
1 Karma
That got me really close. I tried it over "Last 7 Days" and it gave me 6 days with 9-4-20 missing for some reason. I took your search and changed around some things and got this working: | makeresults
| eval count=0
| eval rows=split("Row 1|Row 2|Row 3|Row 4", "|")
| mvexpand rows
| timechart values(count) by rows limit=0
| fillnull value=0
| eval _time= strftime(_time, "%m-%d-%y")
| append
[search that may or may not produce results]
| stats max("Row 1") as "Row 1",
max("Row 2") as "Row 2",
max("Row 3") as "Row 3",
max("Row 4") as "Row 4"
by _time In my appended search I called each aggregation "Row 1", "Row 2", etc. so at the end in the last stats it will pull the highest number for each row and time, so if there are results it will pull the value and if there aren't results it will pull the 0 created in the makeresults search. For some reason it worked for me when you make the null/filler results first and then append your actual search. @yeahnahthank you for your help!
... View more
09-08-2020
02:09 PM
Hi yes, sorry I had put that in the question title but probably was not clear enough in my description. The problem I'm having with this is that I only really need this solution because some of these searches return "no results found" sometimes. Per the tenants request we would like to find a way to keep the dashboard uniform so that there is a table of 0's for example when there are no errors for the last 7 days for example. I'd like it to show all 0's when there are no events but everything I've read leads me to believe there is no clean way to do this, especially with a timechart search. It seems the only way for there to be a table/visualization is if the search returns at least 1 result but that's exactly the issue I'm trying to solve if that helps explain what I'm trying to get at.
... View more
09-08-2020
09:35 AM
This didn't seem to work how I was expecting. I was hoping to get an empty timechart that uses the time range of the search to determine the dates. For this solution it seems you would have to hard code the dates.
... View more
09-01-2020
02:02 PM
Hi all, I have a request from a tenant in our environment that requires us to create a dashboard where each column is a date and each row has various criteria. We accomplished this by using the following search structure: [base search]
| timechart limit=0 span=1d useother=false count as "Row 1" by sourcetype
| fillnull
| reverse
| untable _time, sourcetype, "Row 1"
| eval Time= strftime(_time, "%m-%d-%y")
| table Time, "Row 1"
| transpose header_field=Time 0
|append [search [base search] | timechart limit=0 span=1d useother=false count as "Row 1" by sourcetype
| fillnull
| reverse
| untable _time, sourcetype, "Row 2"
| eval Time= strftime(_time, "%m-%d-%y")
| table Time, "Row 2"
| transpose header_field=Time 0]
... Due to the variations in search criteria for each row, it makes the most sense to simply append a new row. The results end up looking like the following: The problem I am having is that one of the searches produces no results almost all of the time (note that Row3 is missing). This tenant would like this to show "Row3" as a row of 0's implying that there were no events that match the specified criteria for that row. Does anybody have a good way to create a timechart table of all 0's for searches that return "No results found"? I have seen a lot of questions and answers on here that basically use an append to give a single value of 0 but for this use case I would essentially like to get a "0" for each date on the table like the following :
... View more
Labels
- Labels:
-
timechart
08-27-2020
12:30 PM
Hi all, My team is embarking on the Summary Indexing journey as our environment is getting larger. We have various tenants in our environment that wish for their daily summary data to be synced up from midnight to midnight of various time zones (GMT, Pacific Time, Central, etc.). I have my personal account set to Pacific time. We had been told the best way to ensure that you have no data overlap/gaps with summary indexing is to use the snap-to feature (the @d) syntax using the earliest and latest time modifiers. Ex: [base search here] earliest=-1d@d latest=@d.... | [rest of search here] What I'm trying to figure out is if we have one tenant that wants us to run their summary searches from midnight to midnight GMT and another tenant that wants us to run their summary searches from midnight to midnight PST for example, what is the best way to approach that?
... View more
08-21-2020
12:24 PM
@richgallowayThat was very helpful. I was able to find the element by going in to the developer tools, narrowing down to just one of the panels and then once I got down to the subtitle I clicked on it and it actually ends up displaying the exact syntax I can just copy and paste into the XML to override. Example answer for anyone who needs this: .dashboard-row .dashboard-panel .panel-head h3{
font-size: 20px !important;
} Thank you so much!
... View more
08-21-2020
11:35 AM
Hi fellow Splunkers! I'm trying to figure out how to customize the subtitle of a dashboard (bold the font or change the font size for example). I'm currently using a hidden HTML style panel within my XML so if possible I'd like to continue with that method rather than converting the whole dashboard to HTML. <row>
<panel>
<title>Quick Stats</title>
<single>
<title>User Counts</title>
<search>
......
</search>
</single>
</panel>
</row> The "User Counts" title is the one I am interested in adding specific styles to. Here is an example of how I am currently customizing some of the elements of my dashboard: ...
<row>
<panel>**<html depends="$hiddenForCSS$">**
<style>
.dashboard-row {
padding-bottom: 5px !important;
padding-top: 5px !important;
}
.dashboard-panel h2{
background:#65A637 !important;
color:white !important;
text-align: center !important;
font-weight: bold !important;
border-top-right-radius: 15px !important;
border-top-left-radius: 15px !important;
}
</style>
</html>
</panel>
</row>
... I'm mainly trying to identify the correct way to reference the subtitle but if anyone has any general tips for the best way to identify the correct way to reference the various dashboard elements, that would be super helpful as well.
... View more
05-29-2020
10:54 AM
3 Karma
A little late to this but you could also try using the following for each table:
<format type="color">
<colorPalette type="map">{"0":#DC4E41,"1":#53A051}</colorPalette>
</format>
Taking the "field=" specification off seems to apply it to the entire row by default.
Hope this helps!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-11-2023
02:18 PM
|
Karma given to
