Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About srizan
srizan
Path Finder
Member since:
08-16-2018
07-10-2020
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 7 |
| Karma Received | 0 |
| Member Since | 08-16-2018 |
Activity Feed
- Posted Using lookup table & Append on Splunk Search. 07-09-2020 09:58 AM
- Tagged Using lookup table & Append on Splunk Search. 07-09-2020 09:58 AM
- Tagged Using lookup table & Append on Splunk Search. 07-09-2020 09:58 AM
- Tagged Using lookup table & Append on Splunk Search. 07-09-2020 09:58 AM
- Posted Re: Visualization not working after extracting values from raw data on Dashboards & Visualizations. 06-16-2020 09:03 AM
- Karma Re: Visualization not working after extracting values from raw data for richgalloway. 06-16-2020 09:03 AM
- Karma Re: Visualization not working after extracting values from raw data for niketn. 06-16-2020 09:03 AM
- Posted Re: Visualization not working after extracting values from raw data on Dashboards & Visualizations. 06-15-2020 01:07 PM
- Posted Visualization not working after extracting values from raw data on Dashboards & Visualizations. 06-15-2020 10:43 AM
- Karma Re: How do I group similar values together? for anthonymelita. 06-05-2020 12:50 AM
- Karma Re: How to combine unique values of the field into one? for niketn. 06-05-2020 12:49 AM
- Karma Combine two rows from a search into one? for dzenn. 06-05-2020 12:48 AM
- Karma How do I bring serial number in splunk for abhayneilam. 06-05-2020 12:46 AM
- Karma Re: How do I bring serial number in splunk for Gilberto_Castil. 06-05-2020 12:46 AM
- Posted Re: How do I pass an input parameter to the search string of another input? on Splunk Search. 06-03-2020 08:51 AM
- Posted How do I pass an input parameter to the search string of another input? on Splunk Search. 06-03-2020 08:14 AM
- Tagged How do I pass an input parameter to the search string of another input? on Splunk Search. 06-03-2020 08:14 AM
- Tagged How do I pass an input parameter to the search string of another input? on Splunk Search. 06-03-2020 08:14 AM
- Posted Re: How do I bring serial number in splunk on Splunk Search. 12-07-2018 11:32 AM
- Posted How do I group similar values together? on Alerting. 12-05-2018 02:35 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-09-2020
09:58 AM
I have two queries. First one has multiple fields: source, IP, comment & cIP and this is exported CSV as a output lookup table. Second query also has source & IP which is used for comparison. It will have also have comment which needs to be appended with values from the first query. It will also have other fields nIP, logN. The second query needs to compare values of source & IP from the lookup table and retrieve fields comment & cIP from the look up table & output.
Ex.
Query 1 output -> lookup table:
source
IP
Comment
cIP
xyz.com
111.111.111.111
table1
1
xyz.com
111.111.111.112
table1
2
abc.com
111.111.111.111
table1
1
Query 2 Fields:
source
IP
Comment
nIP
logN
xyz.com
111.111.111.111
table2
2
951
xyz.com
111.111.111.112
table2
3
751
qwe.com
255.255.255.001
table2
2
152
Final Output
source
IP
Comment
cIP
nIP
logN
xyz.com
111.111.111.111
table1
table2
1
2
951
xyz.com
111.111.111.112
table1
table2
2
3
751
abc.com
111.111.111.111
table1
1
-
-
Query 2 contains more data than Query 1, I only need to include source & IP that are output from Query 1 only. For example, in Query 2, there is qwe.com which is not in Query 1 so that is not in the Final Output but abc.com is.
I am currently doing append:
index=* AND source=*.log
| dedup source IP
| fields source IP Comment nIP logN
| append
[search index=app* earliest=-15m
| eval host=IP
| dedup source IPNAME
| table SRVID IPNAME comment cIP]
| stats values(comment) as comment, values(nIP) as nIP, values(logN) as logN by IPNAME,SRVID
| where comment=="table1"
... View more
Labels
- Labels:
-
lookup
06-16-2020
09:03 AM
@niketn Thank you! That worked!! I was using rex to extract the value but this seems to be cleaner approach.
... View more
06-15-2020
01:07 PM
I was able to work around using rex to extract the value. Still unsure why conversion did not work.
... View more
06-15-2020
10:43 AM
Raw Value:
logtype=audit 2020-06-15T12:25:52,650| tid:SDFGH3456gtbhjcfdt$%| AUTHN_REQUEST| | 38 | | 123| | asdxc| AS| ss| | | 40
Query:
index = "PF.log"
| eval fields=split(_raw,"|")
| eval response=mvindex(fields,13)
| timechart values(response) BY host
I am interested in the last value which is 40 in this example. I tried converting the value tonumber and tried other conversion techniques which doesn't seem to work for some reason.
... View more
Labels
- Labels:
-
timechart
06-03-2020
08:51 AM
Yeah! Seems like there was some issue with caching maybe, it worked in incognito.
... View more
06-03-2020
08:14 AM
I have multiple inputs in the dashboard. The first input is for various environments (hard coded). And the second input is for various accounts from the selected environment (leverages search string). I have the first input tokenized as "env" however, passing it in the second input search string as environment=$env$ doesn't yield the value from the first input.
... View more
- Tags:
- passing
- search-string
12-05-2018
02:35 PM
source=*prod*
| dedup SRV JAVAVER
| stats count(SRV) by JAVAVER
This would generate report with all of the Java Versions.
I visualized using PieChart but I am only interested in seeing the chart with JAVAVER grouped as Java 18, Java 17 & Java19 instead of Java1801, Java1802, and so on.
Bascially, I want to group something like this only for the Pie Chart if possible:
JAVAVER=Java19* -> Java19
JAVAVER=Java18* -> Java18
JAVAVER=Java17* -> Java17
... View more
- Tags:
- splunk-enterprise
11-30-2018
07:10 AM
Surprisingly it worked after I switched values(IPADDR ) at the end.
Before I was doing the following
source=*prod*
| dedup SRV AVER ZONE
| fields + SRV , IVER, AVER, ZONE
| stats values(ZONE) as ZONE, values(IPADDR) as IPADDR, values(host) as host by SRV AVER
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
| nomv IPADDR
| eval IPADDR =replace(IPADDR ,"\s",",")
| nomv host
| eval host=replace(host,"\s",",")
It worked after I switched place between host & IPADDR:
source=*prod*
| dedup SRV AVER ZONE
| fields + SRV , IVER, AVER, ZONE
| stats values(ZONE) as ZONE, values(host) as host, values(IPADDR) as IPADDR by SRV AVER
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
| nomv host
| eval host=replace(host,"\s",",")
| nomv IPADDR
| eval IPADDR =replace(IPADDR ,"\s",",")
I am not sure why did this happen? Can anyone explain me the difference, and why it might not have worked. BTW, when I tried the first command, it did not even show the host field at all in the final output.
... View more
11-30-2018
07:01 AM
So far I was able to combine 2 of those into one stats, introducing third value(X) as X would not yeild the last field in the final result. Here is what the query looks like:
source=*prod*
| dedup SRV AVER ZONE
| fields + SRV , IVER, AVER, ZONE
| stats values(ZONE) as ZONE values(IPADDR) as IPADDR by SRV AVER
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
| nomv IPADDR
| eval IPADDR =replace(IPADDR ,"\s",",")
... View more
11-29-2018
03:17 PM
I am trying to make a report with the unique combination of ID, AVER SRV, ZONE, IPADDR & host. Unfortunately, I am getting lots of duplicate values because I have multiple values for ZONE, IPADDR & host. Currently, I am using 3 different queries in Splunk and joining the table with SRV later. However, is there anyway I can combine multiple values of those fields in one field each so I won't have lots of duplication.
Currently I am using the following query:
I have a query that re
source=*prod*
| dedup SRV AVER ZONE
| fields + SRV , IVER, AVER, ZONE
| stats values(ZONE) as ZONE by SRV AVER
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
source=*prod*
| dedup SRV IPADDR
| fields + SRV IPADDR
| stats values(IPADDR) as IPADDR by SRV
| nomv IPADDR
| eval IPADDR =replace(IPADDR ,"\s",",")
source=*prod*
| dedup SRV host
| fields + SRV , host
| stats values(host) as host by SRV
| nomv host
| eval host=replace(host,"\s",",")
... View more
08-16-2018
10:07 AM
That worked like a charm, Thank you @niketnilay
... View more
08-16-2018
09:38 AM
@marycordovacaa I apoligize for not being clear,
I have various values for ZONE and dedup for
ID | AVER | SRV | ZONE
123 1 2 01
123 1 2 02
123 1 2 03
I want it to have it something like this
ID | AVER | SRV | ZONE
123 1 2 01,02,03
... View more
08-16-2018
08:44 AM
I am trying to make a report with the unique combination of ID, AVER SRV & ZONE. However, since I am getting lots of duplicate values because I have multiple values for ZONE, is there anyway I can combine all the ZONE in one field so I won't have lots of duplication.
Currently I am using following query:
| dedup ID AVER SRV ZONE | fields + ID, SRV, ZONE
Now if the Zone has multiple values, I am getting multiple entries instead I am trying to have one entry with all the different zones combined.
Please advise.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-10-2020
11:48 AM
|
Karma given to
