Activity Feed
- Got Karma for Re: How do I force a timestamp to be recognized as UTC in a query for strptime?. 05-15-2023 08:14 AM
- Got Karma for Re: How can I extract the first 10 characters of token value in query?. 07-13-2022 02:48 AM
- Got Karma for Re: How do I get the total and percentage on each row on the following table?. 02-18-2022 11:53 PM
- Got Karma for Re: Dashboard - Base Search not returning results into panel. 02-03-2022 06:43 AM
- Got Karma for Re: What is the real difference between a $token$ and $form.token$?. 01-24-2022 04:58 PM
- Got Karma for Re: What is the real difference between a $token$ and $form.token$?. 12-16-2021 05:11 AM
- Posted Re: How to hide dashboard panel when user's search times out? on Dashboards & Visualizations. 09-09-2021 11:45 AM
- Posted How to hide dashboard panel when user's search times out? on Dashboards & Visualizations. 09-09-2021 09:46 AM
- Posted seemingly empty log returned with search query on Splunk Search. 06-22-2021 09:48 AM
- Got Karma for Re: How to drilldown a pie chart and get specific results for each slice of pie?. 04-27-2021 04:48 AM
- Posted I don't Re: Extracting fields from nested JSON event on Splunk Search. 12-08-2020 05:12 AM
- Posted Re: Extracting fields from nested JSON event on Splunk Search. 12-07-2020 05:02 AM
- Posted Extracting fields from nested JSON event on Splunk Search. 12-03-2020 12:46 PM
- Karma Re: Using NOT and != would return the same results. for woodcock. 06-05-2020 12:50 AM
- Karma Re: Using NOT and != would return the same results. for richgalloway. 06-05-2020 12:50 AM
- Karma Re: How do I add a check box to change my search? for niketn. 06-05-2020 12:50 AM
- Karma Re: How to clean up old indexes, reports, alerts, etc ? for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: How do you extract fields from an existing field's value? for Raschko. 06-05-2020 12:50 AM
- Karma Re: how to get the first event time and last event time for field value for niketn. 06-05-2020 12:50 AM
- Karma Re: Can you help me identify when end time overlaps start time for the following events? for whrg. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-09-2021
11:45 AM
I figured it out. I was able to use the job.isFinalized token along with "done"
... View more
09-09-2021
09:46 AM
We are dealing with an issue where some of our users have a very short timeout in Splunk. We are working with Splunk to come up with better timeouts but in the meantime we need a way to stop dashboard panels form loading when a user times out to prevent them seeing partial results.
I have tried the normal tokens that are used to hide a panel until a search is done but these "stopped" searches report as done (they just have partial results). I have seen old solutions that used "finalized" but that has been deprecated. ('ve tried cancelled, fail and error as well, no luck)
Does anyone have any idea how else I can stop these panels from loading when a search is "stopped" because of a timeout?
... View more
Labels
- Labels:
-
token
06-22-2021
09:48 AM
We keep getting this "empty" log back whenever we do a search within this host/sourcetype. It doesn't seem to matter what other search terms we put in, it always comes up. As raw text: So far none of our admins can seem to figure out where it's coming from or why. Anyone have any bright ideas?
... View more
12-08-2020
05:12 AM
I don't understand what you're saying. I need to pull out only the avgCycles and totalExecutions for every iRule, attached to the name of the iRule. but I do not know how many there are, or what they are named. spath is just the start. It doesn't do the extraction or allow me to isolate those fields when I don't know the iRule names.
... View more
12-07-2020
05:02 AM
@to4kawa I can spath but I have no idea how many iRules there will be per event or what they are named, and I don't know how many event types there will be or what they are named.
... View more
12-03-2020
12:46 PM
I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped. I need to get the avgCycles and totalExecutions for each iRule - keeping hold of the name of the iRule. My event looks like this: { [-]
clientSslProfiles: { [+]
}
deviceGroups: { [+]
}
httpProfiles: { [+]
}
iRules: { [-]
/Department/Shared/Department_HTML_rewrite_Rule: { [-]
application: Shared
events: { [-]
CLIENT_ACCEPTED: { [+]
}
HTML_TAG_MATCHED: { [+]
}
HTTP_REQUEST: { [+]
}
HTTP_RESPONSE: { [-]
aborts: 0
avgCycles: 28338
failures: 0
maxCycles: 1882653
minCycles: 8898
priority: 550
totalExecutions: 86269
}
}
name: /Department/Shared/Department_HTML_rewrite_Rule
tenant: Department
}
/Common/Office-Rule: { [+]
}
/Common/Debug-Rule: { [+]
.....
... View more
Labels
- Labels:
-
fields
11-01-2019
11:51 AM
Strip the date out of your timestamp (I used strftime since I don't know what format your timestamp is) then add it to your by clause
source="source name" |search NameOfJob=$NameOfJob$ | spath "count.amountOfRecords" | search "count.amountOfRecords"=* | spath timestamp | search timestamp=*
| eval date=strftime(timestamp,"%Y-%m-%d")
| stats earliest(timestamp) as StartTime, latest(timestamp) as EndTime count by "count.amountOfRecords" NameOfJob date
| eval StartTime=substr(StartTime,1,25)
| eval EndTime=substr(EndTime,1,25)
| table date NameOfJob, StartTime, EndTime, count.amountOfRecords
... View more
11-01-2019
11:11 AM
have you tried adding a date to the by clause of your stats command?
... View more
11-01-2019
10:47 AM
Try this
index=something
| rex field=_raw ".*\&WST=(?P<MMMId>[^&]+).*"
| search Googly
| dedup MMMId
| bucket _time span=1m
| rex field=_raw "&PCS=(?<MMM_Status>\d)\&"
| stats count as Volume by MMM_Status _time
| eventstats count as Grand
| search MMM_Status="1"
| eval MMM_Status=(Volume/Grand)*100.0
| timechart span=1m max(MMM_Status)
... View more
10-18-2019
09:49 AM
Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts
index="compliance_sum"
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName
| appendpipe
[ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge]
| table name result ruleName "$infraname$" teamInCharge
| search "Infrastrucure Name"="FRA-SWING"
| search teamInCharge="$team$"
| search result="NONCONFORMING"
| eval templateType=`macro_template`
| where result="NONCONFORMING"
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count
... View more
10-18-2019
07:26 AM
You should be able to just flip your greater than to a less than or equal. The only other difference in your queries is the asset_atp="false" and it just excludes more things.
index=my_index asset_type="Workstation" asset_status="ACTIVE" asset_atp="false" earliest=-1d@d latest=-0d@d
| eval nexttime=strftime(relative_time(now(),"-w@w") ,"%Y-%m-%d %H:%M:%S")
| where ad_date_created<=nexttime
... View more
10-16-2019
12:23 PM
This would get you the number of events, which I think is what you mean by subscriptions, per subscriber over time.
source="mysource" | eval rename details.subscribers{} as subscribers | mvexpand subscribers | timechart count by subscribers
... View more
09-04-2019
08:59 AM
1 Karma
please share the output you got
... View more
09-04-2019
07:39 AM
That would also give you the No people.
But changing it to
index="A" sourcetype=B action=Yes OR action=No
| stats dc(action) as action_count values(action) as action by User
| search action_count<2 AND action=Yes
Would be only Yes's.
... View more
09-04-2019
07:22 AM
Are you only going to have a single Yes and/or a single No for a user? So the most entries you would have for a single user is 2?
... View more
08-20-2019
12:46 PM
3 Karma
What about doing the substr in the actual search to create a new field and then using that result as the token?
... View more
08-06-2019
07:51 AM
A sparkline is a trend over time. Does your inputlookup include _time?
... View more
06-14-2019
05:15 AM
can you share the XML that is the definition of your dropdown?
... View more
06-13-2019
07:23 AM
That's my guess, yes. I have had jobs queue and when they run they're correct.
On a side note if you are having a lot of issues with jobs being queued you should look into your search quotas: https://answers.splunk.com/answers/155276/why-are-we-getting-message-waiting-for-queued-job-to-start-and-search-job-takes-5-minutes-to-run.html
... View more
06-13-2019
05:44 AM
If you wait for the job to run, instead of killing it, does it run with the correct time range?
... View more
06-13-2019
05:14 AM
Since the first Monday can be anywhere from the 1st to the 7th you can do it like this
* * 1-7 * 1
You can then add the hour/minutes from there.
... View more
05-09-2019
07:51 AM
you can add a 1 week span to your stats like this
| bucket _time span=1w
and then add _time to the by callMediaType for your stats command.
also, your stats has a by callMediaType but you did not include that in your timechart. This in and of itself would make the results different. Is that on purpose?
... View more
05-08-2019
12:02 PM
This isn't going to give you the subsearch you were looking for but I believe it can solve your issue.
[base search] earliest=-14d@d
| eval last_week_start_time=relative_time(now(),"-7d@w0")
| eval this_week_start_time=relative_time(now(),"@w0+1d")
| eval last_week_end_time=relative_time(now(),"@w0")
| eval this_week_end_time=relative_time(now(),"now")
| eval weekday=strftime(now(),"%A")
| eval start_time=if((weekday="Monday" OR weekday="Sunnday"),last_week_start_time,this_week_start_time)
| eval end_time=if((weekday="Monday" OR weekday="Sunnday"),last_week_end_time,this_week_end_time)
| where _time>=start_time AND _time<=end_time
... View more
12-21-2018
12:54 PM
1 Karma
could you share your search (with sensitive data masked)? it would be much easier to help if we could see it.
... View more
12-21-2018
05:55 AM
you can do that with a join - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join
... View more
