cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
waeleljarrah
Explorer
Member since: ‎12-22-2017
‎03-22-2021
Community Statistics
Posts 8
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎12-22-2017
Activity Feed
View All

Re: Changing _time to a new field in dashboard

by in Dashboards & Visualizations
‎04-21-2020 07:56 AM
‎04-21-2020 07:56 AM
<form theme="light"> <label>Inquiries to Office &amp; Office Locations</label> <fieldset submitButton="true"> <input type="multiselect" token="office"> <label>State</label> <delimiter> OR </delimiter> <fieldForLabel>Office</fieldForLabel> <fieldForValue>Office</fieldForValue> <valuePrefix>Office="</valuePrefix> <valueSuffix>"</valueSuffix> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Office=ltrim(state) | dedup Office | sort +Office</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">All</choice> <default>*</default> </input> <input type="dropdown" token="earliest_time"> <label>Initial Time</label> <fieldForLabel>time</fieldForLabel> <fieldForValue>Early_time</fieldForValue> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Early_time = strptime(time,"%m/%d/%Y %H:%M") | dedup Early_time | sort +Early_time</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="dropdown" token="latest_time"> <label>Final Time</label> <fieldForLabel>time</fieldForLabel> <fieldForValue>Late_time</fieldForValue> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Late_time = strptime(time,"%m/%d/%Y %H:%M") | dedup Late_time | sort +Late_time</query> <earliest>0</earliest> <latest></latest> </search> </input> </fieldset> <row> <panel> <title>Inquiries</title> <chart> <title>Inquiries vs Time</title> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Office=ltrim(state) | search $office$ | eval Total_inquiries=ltrim(sumofinquiries) | eval new_time = strptime(time,"%m/%d/%Y %H:%M") | eval Time=new_time | where new_time>=$earliest_time$ AND new_time<=$latest_time$ | fieldformat Time=strftime(Time, "%m/%d %H:%M") | xyseries Time, Office, Total_inquiries</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisLabelsX.majorLabelVisibility">show</option> <option name="charting.axisTitleX.text">Date &amp; Hour</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">Attempts</option> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.chart">line</option> <option name="charting.chart.nullValueMode">zero</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">top</option> <option name="height">357</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form> ... View more

Re: Changing _time to a new field in dashboard

by in Dashboards & Visualizations
‎04-21-2020 07:36 AM
‎04-21-2020 07:36 AM
Thank you! it works ... View more

Re: Changing _time to a new field in dashboard

by in Dashboards & Visualizations
‎04-20-2020 02:42 PM
‎04-20-2020 02:42 PM
Hi, thanks for the hint and advice. I now have the SPL working if I use Epoch time per code below. I still need to format the Early_time and Late_time in human readable form for the dropdown selection but without altering the original value in Epoch for Early_time and Late_time. Any hints would be appreciated. <form theme="light"> <label>Inquiries to Office &amp; Office Locations</label> <fieldset submitButton="true"> <input type="multiselect" token="office"> <label>State</label> <delimiter> OR </delimiter> <fieldForLabel>Office</fieldForLabel> <fieldForValue>Office</fieldForValue> <valuePrefix>Office="</valuePrefix> <valueSuffix>"</valueSuffix> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Office=ltrim(state) | dedup Office | sort +Office</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">All</choice> <default>*</default> </input> <input type="dropdown" token="earliest_time"> <label>Initial Time</label> <fieldForLabel>Early_time</fieldForLabel> <fieldForValue>Early_time</fieldForValue> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Early_time = strptime(time,"%m/%d/%Y %H:%M") | Table Early_time | dedup Early_time | sort +Early_time</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="dropdown" token="latest_time"> <label>Final Time</label> <fieldForLabel>Late_time</fieldForLabel> <fieldForValue>Late_time</fieldForValue> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Late_time = strptime(time,"%m/%d/%Y %H:%M") | Table Late_time | dedup Late_time | sort +Late_time</query> <earliest>0</earliest> <latest></latest> </search> </input> </fieldset> <row> <panel> <title>Inquiries</title> <chart> <title>Inquiries vs Time</title> <search> <query>index=analyzespace sourcetype=analyzespace.u12.WR119.raw | eval Office=ltrim(state) | search $office$ | eval Total_inquiries=ltrim(sumofinquiries) | eval new_time = strptime(time,"%m/%d/%Y %H:%M") | eval new_tyme=new_time | where new_time&gt;=$earliest_time$ AND new_time&lt;=$latest_time$ | xyseries new_tyme, Office, Total_inquiries</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisLabelsX.majorLabelVisibility">show</option> <option name="charting.axisTitleX.text">Date &amp; Hour</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">Attempts</option> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.chart">line</option> <option name="charting.chart.nullValueMode">zero</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">top</option> <option name="height">357</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form> ... View more

Re: Changing _time to a new field in dashboard

by in Dashboards & Visualizations
‎04-17-2020 09:24 AM
‎04-17-2020 09:24 AM
sorry, this is not indexed time. It is completely arbitrary field that is formatted as a historical time column (called new_time) independent of the time the events were loaded into splunk. I was thinking maybe doing a multiselect input but unsure how to make it look like a time picker. Basically this new_time is hourly values earliest=04/06/2020:00:00:00 latest=04/14/2020:23:00:00. ... View more

Changing _time to a new field in dashboard

by in Dashboards & Visualizations
‎04-16-2020 02:00 PM
‎04-16-2020 02:00 PM
I have a new field called new_time, and I need to add a time picker on the dashboard but have it use the new_time values. Can someone please suggest a solution? | eval new_time = strptime(old_sec,"%m/%d/%Y %H:%M") | fieldformat new_time=strftime(new_time,"%m/%d %H:%M") |eval _time=new_time | xyseries _time, Name, Values ... View more

Re: How can I use regex to match only certain part...

by in Splunk Search
‎12-26-2017 09:06 AM
‎12-26-2017 09:06 AM
@niketnilay Thanks, I now edited original post/question and used code button (101010) accordingly. ... View more

Re: How can I use regex to match only certain part...

by in Splunk Search
‎12-26-2017 08:45 AM
‎12-26-2017 08:45 AM
@cpetterborg Thanks, yes the following should all be formatted as equal to 2345678900: +12345678900 OR 12345678900 OR 12345678900_A123456 OR 2345678900 So, this in essence removes the leading +1, or 1, or trailing _A, and if the number is 10 digits and does not start with +1 or 1 then leave it as is (example: 2345678900). Please advise, thanks again. ... View more

How can I use regex to match only certain parts of...

by in Splunk Search
‎12-22-2017 12:18 PM
‎12-22-2017 12:18 PM
I am using a CSV lookup table (MyCSVTable) which contains a list of 10 digit numbers (examples: 2345678900, 2134567891, 3126549877, etc...). The CSV can look like this for example: MyField1,MyField2 2345678900,1 2134567891,1 3126549877,1 I am using MyCSVTable to match against my event data field which also happens to be named MyField1 (same name as in MyCSVTable), and perform a calculation on an associated event data called MyField3. Part of the problem I have is the MyField3 does not have a standard naming convention. For example, if I am matching MyField1=2345678900 from the CSV, the event data field MyField1 could have any one of these values: +12345678900 OR 12345678900 OR 12345678900_A123456 OR 2345678900 . All of which would be valid matches for my purposes. Can I use rex or regex to reformat MyField1 in event data such that I am able to successfully match my number against any of these occurrences: +12345678900 OR 12345678900 OR 12345678900_A123456 OR 2345678900 ? I tried this but it doesn't work: index=<...> source=<...> | rex field=MyField1 "(?i)^(?.+?)(\s+1)?$" | lookup MyCSVTable MyField1 OUTPUT MyField2 | where MyField2=1 | stats sum(MyField3) by MyField1 Thank you in advance for your advice. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-22-2021 03:57 PM