Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About petenetwork
petenetwork
Explorer
Member since:
06-11-2018
02-12-2021
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 2018-06-11 |
Activity Feed
- Posted Re: How can I avoid browser freeze when searched records are long with no newlines on Splunk Search. 02-11-2021 02:37 PM
- Posted Re: How can I avoid browser freeze when searched records are long with no newlines on Splunk Search. 02-10-2021 04:10 PM
- Posted How can I avoid browser freeze when searched records are long with no newlines on Splunk Search. 02-10-2021 04:05 PM
- Karma Re: How to display active/selected time range? for HiroshiSatoh. 06-05-2020 12:49 AM
- Karma Re: How are Windows instance numbers for two processes with the same name determined? for MuS. 06-05-2020 12:49 AM
- Karma Re: How are Windows instance numbers for two processes with the same name determined? for MuS. 06-05-2020 12:49 AM
- Karma Re: How are Windows instance numbers for two processes with the same name determined? for DalJeanis. 06-05-2020 12:49 AM
- Got Karma for How are Windows instance numbers for two processes with the same name determined?. 06-05-2020 12:49 AM
- Posted Re: How to make subsearch use same time range, same index, same sourcetype as outer search? on Splunk Search. 06-13-2019 09:07 PM
- Posted How to make subsearch use same time range, same index, same sourcetype as outer search? on Splunk Search. 06-13-2019 08:15 PM
- Tagged How to make subsearch use same time range, same index, same sourcetype as outer search? on Splunk Search. 06-13-2019 08:15 PM
- Tagged How to make subsearch use same time range, same index, same sourcetype as outer search? on Splunk Search. 06-13-2019 08:15 PM
- Tagged How to make subsearch use same time range, same index, same sourcetype as outer search? on Splunk Search. 06-13-2019 08:15 PM
- Tagged How to make subsearch use same time range, same index, same sourcetype as outer search? on Splunk Search. 06-13-2019 08:15 PM
- Posted How to display active/selected time range? on Dashboards & Visualizations. 06-20-2018 05:44 PM
- Tagged How to display active/selected time range? on Dashboards & Visualizations. 06-20-2018 05:44 PM
- Tagged How to display active/selected time range? on Dashboards & Visualizations. 06-20-2018 05:44 PM
- Tagged How to display active/selected time range? on Dashboards & Visualizations. 06-20-2018 05:44 PM
- Posted Re: How are Windows instance numbers for two processes with the same name determined? on Getting Data In. 06-12-2018 04:54 PM
- Posted Re: How are Windows instance numbers for two processes with the same name determined? on Getting Data In. 06-11-2018 06:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
02-11-2021
02:37 PM
A better regular expression is: |regex _raw!="(?m)^[^\r\n]{512,}" ... for the case where the long line isn't the first line. If you don't know the (?m) flag search for PCRE flags. Or alternative ignore the anchor altogether (but this may be less performant): |regex _raw!="[^\r\n]{512,}" Up to you which you choose.
... View more
02-10-2021
04:10 PM
I've tried adding: |regex _raw!="^[^\r\n]{512,}" .. and this has filtered out the long records that result in Splunk freezing my browser. Would be great if Splunk could fix this browser-killing bug.
... View more
02-10-2021
04:05 PM
When I do some searches I get records which are very long and have no newlines. The browser (Firefox in my case) effectively freezes up. How can I avoid effectively locking up my browser when doing queries that might return such records?
... View more
Labels
- Labels:
-
other
06-13-2019
09:07 PM
Then how about the inverse? Does the outer search obey the limits set by the inner search? Will earliest and latest be honoured by the outer search if they are not explicitly overridden?
... View more
06-13-2019
08:15 PM
So I specify an outer query, it usually starts like this:
earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00
index=os sourcetype=ps
So far, so good. Now I want to find all PIDs using the same Java command line, e.g.
|search [search
CMD=java*
|table CMD
]
Then summarise the results:
|stats values(PID) as PIDs by CMD
The issue is that my subsearch doesn't seem to default itself to the earliest and latest fields I specified at the very beginning of the query. In fact I have to pad my subsearch like this:
|search [search
earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00
index=os sourcetype=ps
CMD=java*
|table CMD
]
This is unnecessarily bulky. And I don't want to have to specify the time range multiple times.
How can I make my inner search (the "subsearch") adhere to the earliest and latest keywords specified to the outer search?
... View more
06-20-2018
05:44 PM
I can create a Splunk query using earliest and latest fields, e.g.:
earliest=-7d latest=-1d index=os * |head 1
What I want is to put that calculated earliest time into a variable, e.g.
|eval StartedFrom=strftime( earliest, "%Y-%m-%d" )
... but this doesn't work.
How can I store the boundary of the search period into a variable?
UPDATE: @HiroshiSatoh provided the answer. My working query now looks like:
|makeresults
|addinfo
|eval result="earliest=" . strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") . " latest=" . strftime(info_max_time,"%m/%d/%Y:%H:%M:%S")
|table result
This is extremely useful because I can put this into a dashboard and then cut-and-paste the earliest/latest modifiers into any other queries I make while narrowing into an interesting time period.
Note that because this query does not rely on any actual search a dummy value can be created by prefixing the query with |makeresults .
... View more
06-12-2018
04:54 PM
I've discovered that the sourcetype=Perfmon:Process counter="ID Process" counter maps instance to ProcessID ( Value ), the command line of which can be looked up using sourcetype=WinHostMon .
... View more
06-11-2018
06:55 PM
Thank you MuS, I believe that answers my question. I'd be happy to credit you with the answer if you wish to repost your comment as an answer.
... View more
06-11-2018
06:32 PM
1 Karma
I have several svchost.exe processes running on a Windows host. In Splunk in the Perfmon:Process sourcetype I have events of the following form (apologies for the United States of America date format, it is confusing as it is not in a logical ordering of units like ISO8601, but unfortunately this is the way events are stored in Splunk, the dates below are the 12 May, not 5 December as anyone might logically interpret them, I understand Splunk is used by people worldwide and to use a confusing date format is not helpful):
05/12/2018 15:20:41.325 +0000
collection=Process
object=Process
counter="Working Set - Private"
instance=svchost
Value=2404352
05/12/2018 15:20:41.325 +0000
collection=Process
object=Process
counter="Working Set - Private"
instance=svchost#1
Value=774144
05/12/2018 15:20:41.325 +0000
collection=Process
object=Process
counter="Working Set - Private"
instance=svchost#3
Value=10354688
Now svchost#3 is using too much memory. Elsewhere I have logs that record the PID of all the running processes but not the instance number. So what does the #3 refer to, how is it determined?
I've tried to guess, perhaps that number #3 is allocated in order of (as found in sourcetype=WinHostMon 😞
ProcessId , or
StartTime (of the process), or
CommandLine
... or is it randomly assigned? Is there any way of mapping an instance number to a particular running process on a host?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-12-2021
03:52 PM
|
