Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sumarri
sumarri
Path Finder
Member since:
03-04-2024
a week ago
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 2 |
| Member Since | 03-04-2024 |
Activity Feed
- Posted My jobs and loadjobs not showing to my organization? on Deployment Architecture. a week ago
- Posted Re: Saved Search showing old data? on Reporting. 2 weeks ago
- Posted Re: Saved Search showing old data? on Reporting. 2 weeks ago
- Posted Saved Search showing old data? on Reporting. 2 weeks ago
- Got Karma for Re: Error in 'where' command: The expression is malformed. Expected ).. 2 weeks ago
- Karma Re: Error in 'where' command: The expression is malformed. Expected ). for richgalloway. 2 weeks ago
- Karma Re: Error in 'where' command: The expression is malformed. Expected ). for richgalloway. 2 weeks ago
- Posted Re: Error in 'where' command: The expression is malformed. Expected ). on Splunk Search. 2 weeks ago
- Posted Re: Error in 'where' command: The expression is malformed. Expected ). on Splunk Search. 2 weeks ago
- Posted Re: Error in 'where' command: The expression is malformed. Expected ). on Splunk Search. 2 weeks ago
- Posted Error in 'where' command: The expression is malformed. Expected ). on Splunk Search. 2 weeks ago
- Got Karma for Re: Error in 'EvalCommand': Type checking failed. '/' only takes numbers.. 2 weeks ago
- Posted Re: Error in 'EvalCommand': Type checking failed. '/' only takes numbers. on Splunk Search. 2 weeks ago
- Karma Re: Error in 'EvalCommand': Type checking failed. '/' only takes numbers. for richgalloway. 2 weeks ago
- Posted Error in 'EvalCommand': Type checking failed. '/' only takes numbers. on Splunk Search. 2 weeks ago
- Karma Re: How to use different time ranges in sub-queries in savedsearches.conf for somesoni2. 03-06-2024 12:23 PM
- Karma Re: get rid of this awful other column for jarrodrobins. 03-06-2024 11:51 AM
- Karma Re: get rid of this awful other column for sideview. 03-06-2024 11:51 AM
- Karma Re: get rid of this awful other column for HXCaine. 03-06-2024 11:51 AM
- Karma Re: get rid of this awful other column for jonuwz. 03-06-2024 11:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a week ago
So, I am running a job and I can see all my jobs and all the users jobs. However, the other users/power users cannot see my jobs that are running. What could cause that? Some users cannot see my dashboard panels that includes my loadjobs because they don't have the permissions, when I have both read and write enabled for everyone, why could that be so?
... View more
Labels
- Labels:
-
other
2 weeks ago
It is showing when I do | loadjob savedsearch="username:search:data_need" It was scheduled... I change it thinking it would fix it... but it did not.
... View more
2 weeks ago
So, I created at savedsearch and it was working fine. But I had to change the SPL for it and I tried it again, and it is still showing the old results and not showing the new SPL changes. Why? Do I have to wait for the changes t happen?
... View more
Labels
- Labels:
-
saved search
-
scheduled search
2 weeks ago
1 Karma
I have soled the issue.
I needed to add quotes to the AccountType:
| where AccountType IN ("$AccountType$")
I also needed to change the delimiter:
<delimiter>,</delimiter>
This solved the problem for me! Thank you!
... View more
2 weeks ago
So, it is expected to get the AccountTypes selected from the user on the dashboard from the multiselect filter.
... View more
2 weeks ago
Hey! I still get the same error. But thank you for trying! Let me know if something else clicks. Thank you.
... View more
2 weeks ago
So I am creating a dashboard and I keep getting this error:
Error in 'where' command: The expression is malformed. Expected ).
This is what I have:
| loadjob savedsearch="name:search:cust_info"
| where AccountType IN ($AccountType$)
I created a multiselect filter on AccountType and I want the SPL to query on those selected. What could I be missing or another way to achieve this query to filter on AccountType?
... View more
Labels
- Labels:
-
other
2 weeks ago
1 Karma
Thank you so much! That worked!
... View more
2 weeks ago
I am getting this error: Error in 'EvalCommand': Type checking failed. '/' only takes numbers. Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances" by balance_bin | eventstats sum("SumBalances") as total_balance | eval percentage_in_bin = round(("SumBalances" / total_balance) *100, 2) What could be causing this? Is there a way to olve this without the / symbol?
... View more
03-06-2024
05:10 AM
Okay, that is what I thought. Thank you so much for conforming! 😊
... View more
03-06-2024
04:54 AM
So, I have a chart function that works perfectly! | chart sum(transactionMade) over USERNUMBER by POSTDATE But, I want my chart to have USERNUMBER and USERNAME. They are both correlated, so it should not be an issue. I also want to add Team Number, which there is no correlation to USERNUMBER and USERNAME. Is it possible to have multiple fields after over? I can concatenate all the fields into one string, but it would be easier if they were separate columns. Thank you!
... View more
Labels
- Labels:
-
chart
03-04-2024
06:51 AM
I was not getting any data together, that was what was wrong... sorry for the miscommunication. I implemented your idea, and I am getting data now! Thank you!!! However, I am not getting the Employee column filled. It might because of the data issue. But, I wanted to know if we can label the fields by source. For example. I have UserNumber in both sources that mean different things and name in both sources that mean different things... How can I help Splunk differentiate them? Is there any resources would you suggest? Thank you so much!
... View more
03-04-2024
06:06 AM
So, I have one source (transactions) with userNumber and another source (users) with number. I want to join both of them. In each source, they have different field names. I want my table to have the employees name, which in in source users, which I get in my 2nd query in the join separately. Below is my SPL as of now:
index=* sourcetype=transaction
| stats dc(PARENT_ACCOUNT) as transactionMade by POSTDATE, USERNUMBER
| join left=L right=R where L.USERNUMBER=R.NUMBER [search sourcetype=users | stats values(NAME) as Employee by NUMBER]
| table USERNUMBER Employee PARENT_ACCOUNT POSTDATE transactionMade
What is it that I am doing wrong?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma given to
