Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About liondancer
liondancer
Explorer
Member since:
04-30-2018
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 04-30-2018 |
Activity Feed
- Karma Re: How can I create a bar chart with positive and negative values? for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How can I create a bar chart with positive and negative values? for woodcock. 06-05-2020 12:49 AM
- Karma Re: How can I create a bar chart with positive and negative values? for woodcock. 06-05-2020 12:49 AM
- Karma Re: How can I convert column value to column? for mayurr98. 06-05-2020 12:49 AM
- Karma Re: How can I convert column value to column? for harishalipaka. 06-05-2020 12:49 AM
- Karma Re: How to calculate the difference between two fields from different files? for skoelpin. 06-05-2020 12:47 AM
- Posted Re: How to change the _time to values inside the event data? on Splunk Search. 06-05-2018 11:08 AM
- Posted Time Window feature Override with event time fields on Splunk Search. 06-05-2018 02:03 AM
- Tagged Time Window feature Override with event time fields on Splunk Search. 06-05-2018 02:03 AM
- Tagged Time Window feature Override with event time fields on Splunk Search. 06-05-2018 02:03 AM
- Posted Re: Change Time Window Filter to another type of filtering on Getting Data In. 06-04-2018 01:44 PM
- Posted Change Time Window Filter to another type of filtering on Getting Data In. 05-24-2018 11:56 AM
- Tagged Change Time Window Filter to another type of filtering on Getting Data In. 05-24-2018 11:56 AM
- Tagged Change Time Window Filter to another type of filtering on Getting Data In. 05-24-2018 11:56 AM
- Tagged Change Time Window Filter to another type of filtering on Getting Data In. 05-24-2018 11:56 AM
- Posted Re: Finding difference and percentage from 2 events withe same fields but difference index on Splunk Search. 05-22-2018 01:01 PM
- Posted Re: Finding difference and percentage from 2 events withe same fields but difference index on Splunk Search. 05-22-2018 12:29 PM
- Posted Re: Finding difference and percentage from 2 events withe same fields but difference index on Splunk Search. 05-22-2018 12:21 PM
- Posted Finding difference and percentage from 2 events withe same fields but difference index on Splunk Search. 05-22-2018 12:07 PM
- Tagged Finding difference and percentage from 2 events withe same fields but difference index on Splunk Search. 05-22-2018 12:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-05-2018
11:08 AM
I followed the instructions on the blog post and could not get it to work. I have a time field within my logs as
year=2018 month=04 day=05 hour=20 event_count=100 . The event came in 2018-06-03 2000 . I want to use the time picker to select events by their year, month, day, hour time fields. NOT when they came in. I overrode _time as well. This is what I have in my source
index=index_1 OR index=index_2 category=mobile event_type=hive_events zone=aws
| eval _time=strptime(time,"%Y-%m-%d-%H:%M:%S")
| sort - _time
| addinfo
| where _time >= info_min_time AND (_time <= info_max_time OR info_max_time = "+Infinity")
| eval DateHour=year."-".month."-".day."-".hour
| eval Start_Time=strftime(info_min_time, "%Y-%m-%d-%H:00")
| eval End_Time=strftime(info_max_time, "%Y-%m-%d-%H:00")
| table DateHour _time Start_time info_min_time End_time info_max_time zone event_count
... View more
06-05-2018
02:03 AM
I have events that arrive present time but have time fields of something similar to
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100
The event arrived at 2018-06-05 but has time field values of year=2018 month=04 day=01 hour=01
I want to be able to manipulate my time window feature for all events with the same month, day, hour, and year fields
Use case:
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=120
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=10
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=200
For the example events above arrived on 2018-06-01 , I want to be able to use my Time Window feature and pick a DateRange in between 2018-04-01 AND 2018-04-02 and the sample events ABOVE will be returned. How can I do so?
I want to make a chart where the X axis is the time fields and the Y axis is the sum() of all the event_count bounded by the Time Window feature against the event time fields.
X | Y
2018-04-01-01 220
2018-04-01-02 210
... View more
06-04-2018
01:44 PM
Still having trouble with this. I used your sample query and was not able to get any events. I also try to set the range for ALL of 2017 till present.
index=index_1 OR index=index_2 zone=aws OR zone=prem [| gentimes start=-1 | addinfo | eval earliest=info_min_time-86400 | eval latest=info_max_time | table earliest latest ]
| eval _time=strptime(year."-".month."-".day." ".hour.":00","%Y-%m-%d %H:%M")
| where _time>=[| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]
| eval DateHour=year."-".month."-".day."-".hour
| chart sum(event_count) by DateHour, zone
... View more
05-24-2018
11:56 AM
In the Time Window Filter, I can filter through events based on the time they arrived
However, I would like to filter based on fields within my event. For instance, in all my events, they have these fields:
year=2018 month=01 day=01 hour=01
I can eval this to DateHour=year'-'month'-'day'-'hour to generate 2018-01-01-01 . How can I filter using the Time Window by DateHour instead ?
... View more
05-22-2018
01:01 PM
Good question! I might have more than 1 event per hour for the SAME ZONE. For that case, I would like to sum up all the event_count values for that HOUR
ex:
year=2018 month=04 day=10 hour=09 event_count=110 zone=zone_B
year=2018 month=04 day=10 hour=09 event_count=50 zone=zone_B
I would like to have event_count 160 because these two events are in the same HOUR and same ZONE
For the sample HOUR, I should have 1 event PER zone:
For example:
year=2018 month=04 day=10 hour=09 event_count=10 zone=zone_A
year=2018 month=04 day=10 hour=09 event_count=30 zone=zone_B
year=2018 month=04 day=10 hour=10 event_count=50 zone=zone_A
year=2018 month=04 day=10 hour=10 event_count=20 zone=zone_B
year=2018 month=04 day=10 hour=11 event_count=70 zone=zone_A
year=2018 month=04 day=10 hour=11 event_count=80 zone=zone_B
...
... View more
05-22-2018
12:29 PM
zone_A and zone_B is NOT a number. event_count IS the number of interest.
year=2018 month=04 day=10 hour=09 event_count=100 zone=zone_A
year=2018 month=04 day=10 hour=09 event_count=110 zone=zone_B
How can I distinguish the event_count from the event with zone_A with the event_count with zone_B
... View more
05-22-2018
12:21 PM
My query is
index=idx_A OR index=idx_B | eval DateHour=year."-".month."-".day."-".hour | chart values(event_count) over DateHour by zone
will
eval difference=abs(zone_A - zone_B)
evaluate the difference between event_count of zone_A and event_count of zone_B?
... View more
05-22-2018
12:07 PM
I have this query that returns this:
Sample event in index=idx_A:
year=2018 month=04 day=10 hour=09 event_count=100 zone=zone_A
Sample event in index=idx_B:
year=2018 month=04 day=10 hour=09 event_count=110 zone=zone_B
Query:
index=idx_A OR index=idx_B | eval DateHour=year."-".month."-".day."-".hour | chart values(event_count) over DateHour by zone
The resulting output
DateHour | zone_A | zone_b
2018-04-10-09 100 110
I want to create another column called difference and percentage that would look something like this:
DateHour | zone_A | zone_b | difference | percentage
2018-04-10-09 100 110 10 10%
The difference column would be the absolute value of event_count from zone_A and zone_B and percentage would be
difference / {event_count with zone=zone_A} * 100
... View more
05-21-2018
12:43 PM
I have the following output from my query:
**Search Query** | eval DateHour=year."-".month."-".day."-".hour | chart event_count BY DateHour, zone
DateHour | event_count | zone
2018-04-10 14 A
2018-04-10 14 B
2018-04-11 18 A
2018-04-11 18 B
What can I do to convert my table to something like this:
DateHour | A | B
2018-04-10 14 14
2018-04-11 18 18
... View more
05-01-2018
01:11 PM
Thanks for the update. I should have added more notes to my query. Log from machine A index="machine_a" category=web event_count=100 and log from machine B index="machine_a" category=web event_count=80 . The desired output would be 20 as machine A has 20 more events than machine B. If machine B event_count is 100 and machine A event_count is 80, -20 would be the desired output. While reading your query, I think it takes the difference in the number of LOGS and not event_count . I am also confused as to how to reference machineA and machineB values as you did above
... View more
05-01-2018
12:24 PM
Being new to Splunk, how can I PIPE the logs from machine A and machine B to the same chart? My query looks something like this for machine A index="machine_a" category=web and this for machine B index="machine_b" category=web .
... View more
04-30-2018
12:24 PM
How can I create a bar chart with positive and negative values? Here is the use case I have.
I have events coming in per hour from two different machines, A and B. If machine A has 10 more events generate than machine B, the bar chart should shoot UP 10 units. If machine B has 15 more events than machine A, then the bar chart should shoot DOWN 15 units. If machine A and machine B have the same number of events generated then there would be no units displayed.
I am pretty new to Splunk so I am not sure where to start to create something like this
... View more
