Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hmohta
hmohta
Path Finder
Member since:
08-12-2022
10-12-2022
Community Statistics
| Posts | 19 |
| Solutions | 1 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 08-12-2022 |
Activity Feed
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-12-2022 08:19 PM
- Karma Re: How to group 3 months data, making it average data over 2 years for gcusello. 10-12-2022 08:19 PM
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-11-2022 04:35 PM
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-10-2022 10:58 PM
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-10-2022 02:17 AM
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-09-2022 11:49 PM
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-09-2022 11:44 PM
- Posted Re: How to group 3 months data, making it average data over 2 years on Splunk Search. 10-09-2022 11:26 PM
- Posted How to group 3 months data, making it average data over 2 years? on Splunk Search. 10-09-2022 10:48 PM
- Posted Re: What is the difference between latest_day and 1 day_ before? on Dashboards & Visualizations. 10-09-2022 10:14 PM
- Karma Re: What is the difference between latest_day and 1 day_ before for johnhuang. 10-09-2022 10:14 PM
- Karma Re: What is the difference between latest_day and 1 day_ before? for gcusello. 10-09-2022 10:14 PM
- Posted What is the difference between latest_day and 1 day_ before? on Dashboards & Visualizations. 10-05-2022 04:12 PM
- Tagged Maps, geostats and geom commands- What is wrong with my search? on Dashboards & Visualizations. 09-23-2022 12:02 AM
- Posted Maps, geostats and geom commands- What is wrong with my search? on Dashboards & Visualizations. 09-22-2022 11:58 PM
- Karma Re: How do I show comparison trends for bowesmana. 09-22-2022 11:30 PM
- Posted Re: How do I show comparison trends on Dashboards & Visualizations. 09-06-2022 04:24 PM
- Posted Re: How do I show comparison trends on Dashboards & Visualizations. 09-05-2022 10:24 PM
- Posted Re: How do I show comparison trends on Dashboards & Visualizations. 09-05-2022 09:12 PM
- Tagged Re: How do I show comparison trends on Dashboards & Visualizations. 09-05-2022 09:12 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-12-2022
08:19 PM
I wasn't leaving Splunk for Excel, all I said was I will close this query as I have not achieved what I am after and then ask another question which is what " is used in Excel", but use it in Splunk. I am aware of the fields being case sensitive, unfortunately nothing works!! Thankyou for trying.
... View more
10-11-2022
04:35 PM
@gcusello thankyou so much for trying, still no results and yes I did do the main search and these events do occur. I think I will move on from this question and look how I can produce moving average just like we do in excel. thanks for your help
... View more
10-10-2022
10:58 PM
Unfortunately it yields no results at all. 0 values/statistics
... View more
10-10-2022
02:17 AM
I get no values, no statistics.
... View more
10-09-2022
11:49 PM
Like I said yields, 0 statistics
... View more
10-09-2022
11:44 PM
Sorry this search is not yielding any results for me. Not sure I understand.
... View more
10-09-2022
11:26 PM
Thank you @gcusello . you mention : | eval Year=substr(WeekStarting,6,4) What does 6,4 stand for? Sorry I am new to Splunk and dont understand. Does it mean the Week like Week 6 or Week 4. Do I have to break it over 56 Weeks!? I am confused
... View more
10-09-2022
10:48 PM
Hello
The dates I have are in form of Week Starting: for example WeekStarting = 04/04/2022 , 11/04/2022 and so on. I am unable to group data where business now requires to see 3 months rolling avg figures for the last 2 years.
How can I achieve this?
My search: index=AB, source=AB | search (WeekStarting="2021*" OR WeekStarting="2022*") | chart avg(DeviceCount) by WeekStarting
It should be visualized as a 3 month data analysis
I am also trying to use timewrap span =1 month by Device count but no statistics appear!! Please help
... View more
10-09-2022
10:14 PM
Thankyou so much!
... View more
10-05-2022
04:12 PM
Hello
I am a bit unclear from the readings the meaning of 'latest_day and 1 day_ before'. I have attached a screen shot where I am comparing a particular event that occurred over 7 days.
Now if I want to compare say 'latest_day and 1 day_ before'. : is latest like yesterday and 1day_ before is the 4th October? I am confused. My query: index="AB" earliest=-8d@d latest=@d | search status="OTP_REQUIRED" | timechart span=1h count | timewrap d | fields _time latest_day, 1day_before ( when I want to compare days)
Thankyou
... View more
Labels
- Labels:
-
timechart
09-22-2022
11:58 PM
hello everyone Now I have been getting cluster Maps and Choropleth Maps generated , but a few issues with them. q1.when I add the same command from search app to the panel in the dash I loose all the state/regions names too!! works with the zoom function, is that ok? 2. query: why do I have multiple tiles of the same regions running through how can I just create the view where I can see regions only where events have occurred? Screenshot attached I know the legend doesn't match the map as values show 0, but they change and seem to be ok after 10/15 mins, I dont know why!! I am trying to search for failed/successful applications logins by region/city/or country. my query: index=a sourcetype=ab
| iplocation ip
| search status=failure AND connectionname=" ABwebsite"
| stats count by Country| geom geo_countries allFeatures=True featureIdField=Country if I don't add ip, no values populate on the map, there's just color. Thankyou for looking into the query.
... View more
- Tags:
- ui
09-06-2022
04:24 PM
thanks @bowesmana for your reply. Wont using the earliest=x latest=y syntax only give you the number of events that fall within that period. I am really confused as to how to include the specific events occurred during that time which the business would really like to see.
... View more
09-05-2022
10:24 PM
yes I will still use spath and WeekStarting only because I want to filter out the quarters. So yes Week Starting is the only event I have in relation to _time. How can I create timechart with 'span' with these? as my selected dates are like 3 months in a year over 3 years. Also do I have to create a makeresults or eval to generate events for the predict command?
... View more
09-05-2022
09:12 PM
thanks for your reply @bowesmana . at the moment my existing _time value is the Week Starting, that's all. I do not understand the need to use the command: | eval _time=strptime(WeekStarting, "%F") Correct me if I am wrong, it will still give me the existing format which already exists?
... View more
09-05-2022
07:10 PM
Hello All
I have been asked to show trends for business requirement with the dataset I have. Possible past, present and 'possible' predict for 3\4 months. the only _time dataset I have is the "WeekStarting": where events have occurred. To make it more relatable I need to show trends in login sharing.
Due to the magnitude of data, to make more sense out of the values I have selected 3 quarters over 3 years i.e (WeekStarting="2020-07-20" OR WeekStarting="2020-08-24" OR WeekStarting="2020-09-28" OR WeekStarting="2021-07-26" OR WeekStarting="2021-08-23" OR WeekStarting="2021-09-20" OR WeekStarting="2022-06-20" OR WeekStarting="2022-07-18" OR WeekStarting="2022-08-22" ).
Now I don't have any day or any time series data which makes it difficult for me to make timechart or timewrap commands.
What I have used so far and many others:
index="AB" sourcetype="AB" | spath | search (WeekStarting="2020-07-20" OR WeekStarting="2020-08-24" OR WeekStarting="2020-09-28" OR WeekStarting="2021-07-26" OR WeekStarting="2021-08-23" OR WeekStarting="2021-09-20" OR WeekStarting="2022-06-20" OR WeekStarting="2022-07-18" OR WeekStarting="2022-08-22" )
| stats values(TotalUsers) , values(DeviceTypes{}), values(WeekStarting), sum(Newbrowsertypes) as Aggregate_Logins by AccountID | where Aggregate_Logins >=5
I do know these are not trend commands. But I am really lost as to how I can incorporate trends with the dataset. Please help!!
... View more
Labels
- Labels:
-
chart
-
simple XML
-
timechart
08-17-2022
12:58 AM
@yuanliu .thankyou for replying. Let me try this again. ( I have attached the table again) AccountID-502 : has only 1 value of "20". AccountID 102 and 304 have 2 and 4 values respectively. Now I have tried your suggestions of | where 'values(logins)' > 2 But this singles out all Dates. I want the Values(date) to remain grouped. So in this instance I don't want AccountID502 as it has only 1 value. I want my final output which shows only those AccountID's where "values(logins)" are >=2 values. So in this instance 102 and 304. AccountID values(Date) values(logins) 502 2020-07-20 20.00 102 2020-07-20 2020-08-25 15.00 18.00 304 2020-07-20 2020-08-25 2021-07-20 2021-08-25 15.00 18.00 24.00 25.00
... View more
08-16-2022
11:48 PM
thankyou for your prompt reply. I am after results where ALL Dates are suppose to include. Yes your output table is better than mine:). your reply for aggregate give me the total of values for all accounts where aggregate is >2. thankyou. But I am not after aggregate, rather I want to use/see "only" those AccountID's where "values(logins)" is >2. so I want AccountID's like 102,304 only to appear for my output. Hope this is better.
... View more
08-16-2022
10:19 PM
Hi all, I am new at Splunk and trying to evaluate this query.
I have some accounts, dates(week starting) and number of browsers used by the account for that date.
I have grouped the dates and number_of_browsers. there is 1 account but multiple dates and multiple or single values for browser_types. My query:
index="a" source type="ab"| rename Week Starting AS Date | stats sum(browser_ types) AS New_BrowserTypes by AccountID TotalUsers Date | eval New_BrowserTypes= round(New_BrowserTypes/TotalUsers,2) | stats MAX(New_BrowserTypes) as logins by AccountID Date | stats values(Date) values(logins) by AccountID
which gives an output something like this:
AccountID
values(date)
values(logins)
502
2020-07-20
20.00
102
2020-07-20
15.00
2020-08-25
18.00
304
2020-07-20
24.00
2020-08-25
18.00
2021-07-20
25.00
2021-08-25
15.00
For the final result, I want to use AccountID's where values(logins) are >1. So I want to use only those accounts where, logins are 2 or more. how do I achieve this? thank you in advance. Please not this is only an example, my actual AccountID's are more than 500.
... View more
