Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About robertgiffin
robertgiffin
Explorer
Member since:
04-30-2023
02-28-2024
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-30-2023 |
Activity Feed
- Posted Adding entires in a KV Store through the lookup editor on Splunk Enterprise. 02-27-2024 05:17 AM
- Karma Re: Changing _time in a savedsearch for PickleRick. 08-07-2023 04:42 AM
- Posted Re: Changing _time in a savedsearch on Splunk Search. 08-04-2023 07:41 AM
- Posted Re: Changing _time in a savedsearch on Splunk Search. 08-04-2023 05:20 AM
- Posted Changing _time in a savedsearch on Splunk Search. 08-03-2023 05:09 PM
- Tagged Changing _time in a savedsearch on Splunk Search. 08-03-2023 05:09 PM
- Tagged Changing _time in a savedsearch on Splunk Search. 08-03-2023 05:09 PM
- Tagged Changing _time in a savedsearch on Splunk Search. 08-03-2023 05:09 PM
- Posted Re: Microsoft 365 App Teams Activity Report on All Apps and Add-ons. 04-30-2023 07:37 PM
- Posted Re: Microsoft 365 App Teams Activity Report on All Apps and Add-ons. 04-30-2023 01:19 PM
- Posted Why is Microsoft 365 App Teams Activity Report not showing data? on All Apps and Add-ons. 04-30-2023 12:24 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
02-27-2024
05:17 AM
I have been building KV Store lookups with the lookup editor and I have noticed that when I add a line in the UI, when I leave it and come back to it, it duplicates the line multiple times and I have to go back and delete the duplicates. This seems to happen whether I am copying and pasting or just simply adding a line by hand. Has anyone else seen this issue or am I doing something wrong? To add a line I right-click on the row and select add a new line above. Once I finish the data input I leave the line to commit it. I go to my dashboard that is displaying the store, refresh and note that there are multiple copies of the line I just added. This does not happen with CSV file lookups, just the KV Stores. Thoughts? More info?
... View more
Labels
- Labels:
-
using Splunk Enterprise
08-04-2023
07:41 AM
That's a great idea. I'll have to look into that. The reason I am not using a lookup is that I dashboard the agent status. But you CAN dashboard a lookup file. Thanks for the suggestion! This could solve a couple of issues I am having.
... View more
08-04-2023
05:20 AM
A savedsearch isn't really the issue other than the fact that that's what I'm using. I kind of figured that was the case, no getting around the time thing. I'm accustomed to dealing with databases that aren't time based (unless I make the schema support it), like SQL databases. In this case, I query assets from the M365 API, which is of course time based, and then my list of agents is JOINed to that by the machine name. The list of agents is what is uploaded every morning. If I forget to upload it, it of course goes stale and the agent side of the JOIN shows no agents (of course, because the data is 'stale'). If I were doing this in a SQL database, I would have a job that injects the data from the M365 API every so often and replace the records with what I bring in with the current ones (or I could time base it myself with a timestamp so I could just query the 'latest'). The agent data would be injected every morning, again, and would be the current 'state', regardless of time, until I injected new data because I would replace the agent data based on the ID. I would query that data set for the JOIN. That data set would not be time based, although I might save a timestamp with it. Changing history, interesting take on this. What I am looking for is a static set of data that represents the current 'state' of things until I change it with a new upload, regardless of the time. I COULD use a lookup for this instead of a JOIN but I also have a dashboard where I show the status of these agents so I need to be able to just query the data like any other Splunk data. Plus, maintaining lookups is kind of a drag, especially if they change daily. I also can't do an outer JOIN type of thing on a lookup, I would have to execute that differently. I do that to list the machines that do not have an agent on them. Hope this clarifies things. Thanks for you answer, it is what I expected. Things are working, just trying to bend the rules a bit. I didn't think it was actually possible, knowing how Splunk works, but I just wanted to verify for myself.
... View more
08-03-2023
05:09 PM
I have a set of data that I upload into Splunk every morning as a .csv file because the tool doesn't feed the particular data automatically. It is a list of agents installed on assets. I use a savedsearch to query the data because I latest() and stats every field to make sure it is the latest record in the database, it's a pretty big query. I am interested in forcing the data to look like it was just ingested every time it is queried (when the savedsearch is executed). I tried adding a field to the savedsearch called _time (also tried timestamp) and setting it now(), that worked for the display but my records are still going stale so my assumption is that Splunk is using the original timestamp for these records (and I am ASSUMING I cannot change that). While the query works for the 24 hour timeframe or if I set the timeframe to the current day, all is good (until the day passes). But if I shorten the timeframe to last 15 minutes, last 4 hours, last 60 minutes, I get nothing from the query, which makes sense because that data was timestamped outside the range. But I need the timstamp to look like right now. The data is timestamped when I upload it using the current date/time. I want the last upload to ALWAYS be the current set of records (including the time). It should work with any timeframe. In a perfect world I would like the timestamp to be when the query is executed, so it is always now(), making the data 'look' like it is fresh. Is there a way to do this?
... View more
Labels
- Labels:
-
field extraction
-
fields
04-30-2023
07:37 PM
Back to the same issue. Once the dash is saved and you come back to it, the embedded character is stripped from the search so that dashboards will not work with that embedded special character in them any more.
... View more
04-30-2023
01:19 PM
I did finally get this working and I added a date picker to the page. However it is still a band-aid. I am wondering if anyone else has encountered data like this with a special character in the field name and curious as to what you did with it?
... View more
04-30-2023
12:24 PM
I was wondering why the Microsoft 365 App Teams Activity Report dashboard did not show any data in the dropdown on the page so I took it apart and looked at the query:
`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail | stats latest(_time) AS _time by "Report Refresh Date" | rename "Report Refresh Date" AS ReportRefreshDate | sort - _time
So I ran this in a search in the app's context and got nothing. I pared the search down to just:
`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail
and looked at the fields. The field the search is looking for, Report Refresh Date, is in the field list in Smart Mode and in the syntax highlighted record. So I tried just returning a table with that field and got nothing but the field name, no data.
I took the first result with the simple query:
`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail
and clicked Show as raw text. The field I am looking for is the very first field but is prefaced with \ufeff, making it "\ufeffReport Refresh Date". This is why searching the field name is not working.
I drilled into one of the Report Refresh Date contents and in the resulting search it show the field name with a character at the front of it - ".Report Refresh Date" with the period highlighted in pink. That search returned correct results. I tried copying that and pasting it into another search and THAT one worked.
Has anyone else seen this in this report and is there a fix for it? I am currently going through the query and replacing the field name with the one copied from the query that works to a point but this is a band-aid. And unfortunately when I try to fix the dashboard it gets hung up on the Field for value input (won't let me copy that special character in there).
I am no Splunk expert. Is there any way to filter this what looks to be a UTF-8 character from this field name in a search? The issue is coming from Microsoft in the ingested logs.
Thoughts?
... View more
Labels
- Labels:
-
dashboard
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-28-2024
08:04 AM
|
