I checked the past questions and answers, but I am not able to find a way to do this. Basically the value field of the 'event' has 'DERIVE'. I need to replace 'DERIVE' with the value in Count. I am trying to use MLTK and keep getting this error. "Error while fitting "LinearRegression" model: could not convert string to float: DERIVE". This was csv data uploaded.
Thanks for the help.
↧
Replacing a value of one field with the value of another.
↧
How can we add the first event to all existing event as a matedata?
Here is the case , I have an huge XML file . In which i have extracted the events based on the tags.So i have the 3 tags header, trailer and body . So, the output will be the header section as one event and body was divide into x number of events based on the internal tag and trailer has one event . I need header section to be attached on all the events . How can we do this?
Structure of the xml![alt text][1]
[1]: /storage/temp/254925-vikas.png
↧
↧
Splunk License Key (trial)
Hello.
I created an EC2 instance on AWS with splunk installed.
When I try to search in splunk my data coming from amazon kinesis firehose I get an error message stating that my license is expired.
I would like to know how to apply a splunk license that is already installed. It is possible?
I need help.
Thank you.
Regards.
↧
Forwarder not forwarding data other than _internal
I have forwarder not forwarding any input data other than _internal.
Checks performed:
splunk version - 6.4.2
Forwarder is up and running.
Checked the $SPLUNK_HOME/etc/system/local/inputs.conf . -- Checked the host name
Checked the $SPLUNK_HOME/etc/system/local/deploymentclient.conf
Checked the $SPLUNK_HOME/etc/system/local/server.conf
Dont see any error/warning in splunkd.log.
File path for the log files.
I had restarted the fw several times but no luck.
The inputs in the /etc/app are not forwarding.
Please advise.
↧
Combine data from two source types based on common values
Hi there,
I have question regarding source types. I have 2 source types A and B. A has field called aaa and B has field call bbb. These 2 fields share same value ( example: aaa=123, bbb=123) but the field name is different. I want to combine the two source types based on the fields with the same value(the value will change dynamically so I can't hardcode it) and extract data from both source types. Is it possible and if how to approach this?
I try something like this:
index=??? host=??? (sourcetype=A OR sourcetype=B)
| rename aaa as bbb
| rex field=_raw "ClientId=(?\d+)"
| stats values(cID) as ID by bbb
| eval Duration = round(Duration,3)
| table Duration ID
↧
↧
How do you apply a Splunk license that is already installed?
Hello.
I created an Amazon Elastic Compute Cloud (EC2) instance on Amazon Web Services (AWS) with Splunk installed.
When I try to search in Splunk for my data coming from Amazon Kinesis Data Firehose, I get an error message stating that my license has expired.
I would like to know how to apply a Splunk license that is already installed. It is possible?
I need help.
Thank you.
Regards.
↧
Splunk Machine Learning Toolkit: How do you replace a value of one field with the value of another?
I checked the past questions and answers, but I was not able to find a way to do this.
Basically the value field of the event is "DERIVE". I need to replace "DERIVE" with the value in Count. I am trying to use Machine Learning Toolkit (MLTK) and I keep getting this error:
"Error while fitting "LinearRegression" model: could not convert string to float: DERIVE"
This was CSV data uploaded.
Thanks for the help.
↧
Why is my forwarder not forwarding data other than _internal?
I have forwarder not forwarding any input data other than _internal.
Checks performed:
splunk version - 6.4.2
Forwarder is up and running.
Checked the $SPLUNK_HOME/etc/system/local/inputs.conf . -- Checked the host name
Checked the $SPLUNK_HOME/etc/system/local/deploymentclient.conf
Checked the $SPLUNK_HOME/etc/system/local/server.conf
I don't see any error/warning in splunkd.log.
File path for the log files.
I have restarted the forwarder several times but no luck.
The inputs in the /etc/app are not forwarding.
Please advise.
↧
How do you combine data from two source types based on common values?
Hi there,
I have a question regarding source types. I have 2 source types "A" and "B". "A" has a field called "aaa" and "B" has field call "bbb". These two fields share the same value ( example: aaa=123, bbb=123) but the field name is different. I want to combine the two source types based on the fields with the same value(the value will change dynamically so I can't hardcode it) and extract data from both source types.
Is it possible and if it is, how would I approach this?
I tried something like this:
index=??? host=??? (sourcetype=A OR sourcetype=B)
| rename aaa as bbb
| rex field=_raw "ClientId=(?\d+)"
| stats values(cID) as ID by bbb
| eval Duration = round(Duration,3)
| tab
↧
↧
How to get a single value based on a eval results
Hello
I have a search that joins together data, the search works great but the results that Im trying to get are proving a bit tricky.
index=tsv
|rename BOID AS id
|dedup SurveyInstanceID QuestionID QuestionText QuestionAnswer QuestionAnswerWeight
|join id [`init(assessments)`
|rename info_name as assessmentName
|dedup assessmentName
|`fp_mvexpand(related_vendors)`
|eval RV = mvindex(related_vendors,0) ]
|join RV [ `init(vendors)`
|rename id as RV info_name as Vendor
|dedup Vendor]
| search Vendor=$vendor$
|streamstats count(QuestionID) by SectionTitle
|rename count(QuestionID) as total
| eval "Section Status"=case(SectionTitle == "1.1" AND total == "3", "Completed",
SectionTitle == "1.2 " AND total == "4", "Completed",
SectionTitle == "1.3" AND total == "3", "Completed",
true(), "Incomplete")
|rename total as "Questions Answered" SectionTitle as "Section Title"
the goal is that if "Section Status" == "Incomplete" AT ALL, return "Incomplete" otherwise its "Complete".
This causes every record to be evaluated which is not what Im trying to get I only need it to return a single result.
So if
So lets say
SectionTitle == "1.1" AND total == "3"
SectionTitle == "1.2 " AND total == "2"
SectionTitle == "1.3" AND total == "3"
the result would be "Incomplete"
I plan on making this a single value panel on a dashboard
Thanks for the assistance
↧
What is the difference between the dbinspect command and "_bkt"?
Hello guys,
Could you let me know the difference in terms of buckets between :
`| dbinspect *search* and *search* | eval bkt=_bkt | table bkt` ?
It looks like `dbinspect` returns more results and with a wider span. My aim is to remove buckets according to a specific search and timeframe.
Thanks.
↧
Why are two of my columns empty in a table returned by a lookup file with multiple fields?
I used a lookup file which is configuring like this
field1, field2, field3, field4
value1, value2, value3, value4
value10, value2, value3, value4
value11, value2, value3, value4
I would like to obtain the results in a table where i count the quantity of the first field.
field2 field3 field4 field1
value2 value3 value4 3
I tried this search:
my search | lookup mylookup field1 output field2, field3, field4 | chart count by field2 | table field2 field3 field4 nb
but columns field3 and field 4 are empty
where is my mistake ?
↧
How can you get a single value based on eval results?
Hello,
I have a search that joins together data. The search works great, but the results that Im trying to get are proving a bit tricky.
index=tsv
|rename BOID AS id
|dedup SurveyInstanceID QuestionID QuestionText QuestionAnswer QuestionAnswerWeight
|join id [`init(assessments)`
|rename info_name as assessmentName
|dedup assessmentName
|`fp_mvexpand(related_vendors)`
|eval RV = mvindex(related_vendors,0) ]
|join RV [ `init(vendors)`
|rename id as RV info_name as Vendor
|dedup Vendor]
| search Vendor=$vendor$
|streamstats count(QuestionID) by SectionTitle
|rename count(QuestionID) as total
| eval "Section Status"=case(SectionTitle == "1.1" AND total == "3", "Completed",
SectionTitle == "1.2 " AND total == "4", "Completed",
SectionTitle == "1.3" AND total == "3", "Completed",
true(), "Incomplete")
|rename total as "Questions Answered" SectionTitle as "Section Title"
The goal is that if "Section Status" == "Incomplete" AT ALL, return "Incomplete" otherwise its "Complete" .
This causes every record to be evaluated which is not what Im trying to get. I only need it to return a single result.
So if lets say
SectionTitle == "1.1" AND total == "3"
SectionTitle == "1.2 " AND total == "2"
SectionTitle == "1.3" AND total == "3"
The result would be "Incomplete"
I plan on making this a single value panel on a dashboard
Thanks for the assistance
↧
↧
How to you create a table with each row being a log and every column being a recognized "Interesting Field"?
I was wondering if there is an easy way to create a table that contains every single recognized interesting field instead of doing the usual `| table field1, field2...` method.
To be clear I want to have each row in the table as a separate instance/log and not a summary of counts. In other words, I would like a substitution for `| table` but to capture every single interesting field that is recognized. Thanks!
i am looking for a shortcut that will basically do something like this:
field1 . field2 .... field100
log A: string1. string2 . string100
logB: string21 . string22. string200
i know you can do it manually by performing the command `| table field1, field2... field100`
but typing out every field i want to capture is extremely time consuming so i am wondering if there is a shortcut to do it
↧
How do you highlight a table cell based on a field of the search result?
I am trying to highlight the cells of my result table. I have seen multiple examples showing how to highlight a cell based on the value shown in the actual result table.
What I need is for the cell to get highlighted based on another value of the search result. My search result looks like this:
1. Client System Timestamp OrderCount Color
2. Client1 WebShop 2018-09-12T13:00:00.000Z 200 red
3. Client1 WebShop 2018-09-12T14:00:00.000Z 100 yellow
4. Client1 BizTalk 2018-09-12T13:00:00.000Z 50 green
5. Client1 BizTalk 2018-09-12T14:00:00.000Z 90 yellow
6. ...
My query looks like this:
base search | chart values(OrderCount) over Timestamp by System
Which will result in the following table:
1. Timestamp WebShop BizTalk
2. 2018-09-12T13:00:00.000Z 200 50
3. 2018-09-12T14:00:00.000Z 100 90
4. ...
I want to highlight the OrderCount values (200, 100, 50, 90) based on their respective value of the field "Color" from my search result.
So the cell 200 of my table would be red.
Is there any way to accomplish this?
↧
How do I use a look up to check to see if I'm getting logs from hosts that are in a CSV?
Dears,
I'm trying to use a lookup for Splunk to read a file and tell me if I'm collecting the logs to the host of that file.
What I need: Check if I'm getting logs from hosts that are in a CSV.
I am using the following query:
index = main OR index = client * | stats count by host | lookup client_sys hostname AS host
I also tried using the `inputlookup` command, but it did not work:
index = main OR index = client * NOT [| inputlookup client_sys.csv | fields host]
Is there any other way to do this?
Thanks a lot.
↧
Using average in maps+ instead of count.
While using maps+ the clusters it makes show count of events in it. How can i use average of the values for a particular kpi? Like when it shows cluster count can I display average of a KPI like I am able to do on custom cluster maps
![alt text][1]
[1]: /storage/temp/256000-capture.png
AS the picture shows counts like 273, I want average of a percentage displayed here. Is that at all possible. Please help, I need this done quickly.
↧
↧
Bucket two events starting using a timespan starting with the first event
My question is a mix of using the transaction command with the bin command. What I would like to achieve is capturing when 2 consecutive POST requests are made in proxy logs within two seconds of each other. Straight up using | _bin span=2s misses out on events that might happen during odd seconds. Essentially, I want the two second timer to start when the first event occurs, and then looks for the next event (another POST request), within two seconds. Is there a feasible way to achieve what I'm asking for? Or am I not making much sense.
↧
Multiple Cumulative Time Series
I can make mulitple summed time series.
source="splunk-source"
| timechart sum(figure) as figure by category
I can make a single cumulative summed time series.
source="splunk-source"
| timechart sum(figure) as figure
| streamstats sum(figure) as cumulative_figure
| timechart last(cumulative_figure)
But I can't make multiple cumulative summed time series.
I would appreciate some help with that.
↧
Splunk forwarder 6.6.6 upgrade failure
I'm trying to upgrade the forwarder version to splunkforwarder-6.6.6-ff5e72edc7c4-x64-release.msi, but it fails with "File in use " error
This is the command i used
msiexec.exe /i splunkforwarder-6.6.6-ff5e72edc7c4-x64-release.msi /log C:\Windows\Install\Install_SplunkForwarder_6.6.6_MSI.log /quiet /norestart LAUNCHSPLUNK=0 AGREETOLICENSE=Yes
Looks like it fails because the splunk service is running. But the msi usually takes care of it. Any idea whats going on?
↧