I want to display human readable timestamps for the Search form's default time range picker earliest and latest values. But, I can't figure out what the token name of the time range picker is.
↧
What is the token name of the Search form's time range picker?
↧
How to edit my search to find total emails sent per user on a daily basis?
I am trying to pull stats that shows the average emails sent per user per day and I have the following search below, but running the search is not returning any results.:
index=exchange NOT Status=Quarantined NOT Status=Failed SenderAddress=*.xyz.com
| dedup MessageId sortby _time
| stats count(eval(RecipientAddress)) as recipient_count by SenderAddress
| table _time SenderAddress recipient_count Subject MessageId Size
| timechart sum(recipient_count) as "Daily Total" span=1d
Thx
↧
↧
Splunk Download Link Missing
I'm looking to upgrade my install, and went to the normal pages and do not see a link to actually download 6.5.2. Is it not up yet?
If not, where can i get (wget) 6.5.1?
https://www.splunk.com/en_us/download/splunk-enterprise.html
↧
Why is the Splunk 6.5.2 download link missing?
I'm looking to upgrade my install, and went to the normal pages and do not see a link to actually download 6.5.2. Is it not up yet?
If not, where can i get (wget) 6.5.1?
https://www.splunk.com/en_us/download/splunk-enterprise.html
↧
How to dynamically add servers to serverclass.conf Whitelist
we have ~16,000 windows client machines and the machines are reporting to a app
[serverClass:xom_TA-app1]
whitelist.0 = windows
machineTypesFilter = windows-intel,windows-x64
now we want to split ~1,500 point to app2 and the rest of 14,500 to point to app1
how can we achieve this without adding all the server names to whitelist as it will be very painful to manage?
↧
↧
Need help converting a search query and pivot into tstats.
Hey everyone,
I need a little assistance converting 2 queries I have into Tstats queries.
1. | pivot Expweb_Tracelog_Service Service_Events count(Service_Events) AS "Count of Service_Events" SPLITROW _time AS _time PERIOD auto SPLITCOL eventName FILTER eventName is service:SoftvoyageService* FILTER success is false SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1
2. index = exp sourcetype = expwebtracelog splunk_server_group = ewe host = cheXwbtexweb10* eventName=service:SoftvoyageService* OR eventName=ThreePP* | stats count AS Total count(eval(success="true")) AS Successful count(eval(success="false")) AS Failed by eventName | eval "SuccessPercent"=(Total-Failed)/Total*100
Thanks,
↧
Rewriting mea data from a key in the event data
We are looking at [potentially] adding an abstraction layer to in between a host and the indexers but we of course lose the metadata so key to spunk. We are looking to use fluentd as the abstraction layer/data pipeline. In many cases I have a nice jason output with key/value pars but I would like to use the values of a few keys to rewrite the metadata (host, index, source, sourcetype). So lets say we have this:
{"sourcetype":"fluentd","index":"main"}
How do I carve out those field and rewrite them as metadata. It seems that I need use a regex, cant I use the keys?
Any help is much appreciated!
↧
How to disable clickable events in tabled results with SimpleXML?
Hello all,
I have found this link: https://answers.splunk.com/answers/7646/how-to-disable-results-table-row-clicking.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
...Though it does not help.
I simply want to disable the displayed tabled information from being "clickable". Any ideas?
Thank you!
↧
how can we show or display application response time based session id
hi,
we running load test on 6 of the micro services and each has different API.we are indexing those logs into SPLUNK for monitoring.
log has a details like org name,app name,session id,uri,msg,ResponseTime,ResponseCode etc
i extracted all them in splunk and each has some values.
session id we can find after endpoint
/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e
/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e
incoming flow is always starts from application app-ca-sit and make a call to app-sso-sit,this process and complete the request and see this app alone responsetime in 2nd log
1st log also shows responsetime but it gives you the total response time of both micro services.
how can we show or display application response times in order? i am attaching sample diagram which has a good understanding.
<6>2017-01-25T22:47:16Z 0ke4hjl7eph doppler[22]: {"cf_app_id":"012b7380-c96c-46e6-a57e-b96fd1f7266c","cf_app_name":"app-ca-sit","cf_ignored_app":false,"cf_org_id":"fd12558e-ddaf-4dd2-91b3-85f28ccd27f3","cf_org_name":"SYSTEM","cf_origin":"firehose","cf_space_id":"f9e2c3b9-ff7a-46b2-b359-9ec4ec13487b","cf_space_name":"lab","deployment":"cf","event_type":"LogMessage","ip":"168.72.186.55","job":"diego_cell-partition-ee9c6bad3843f162447f","job_index":"6","level":"info","message_type":"OUT","msg":" INFO [nio-8080-exec-3] c.c.c.l.c.f.CCPLoggingContextFilter c.c.c.l.c.f.CCPLoggingContextFilter.postProcess(CCPLoggingContextFilter.java:187) - POST|/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e|9207ccf1-056e-41f9-be87-72e702ddf93c|US|GCB|MBK||METRICS|ResponseCode=200|ResponseTime=53","origin":"rep","source_instance":"0","source_type":"APP","time":"2017-01-25T22:47:16Z","timestamp":1485384436814105817}<6>2017-01-25T22:47:16Z v2d4vnhslen doppler[19]: {"cf_app_id":"6b3e0a17-c90e-4921-8bb5-d01dbc4fc768","cf_app_name":"app-sso-sit","cf_ignored_app":false,"cf_org_id":"fd12558e-ddaf-4dd2-91b3-85f28ccd27f3","cf_org_name":"SYSTEM","cf_origin":"firehose","cf_space_id":"f9e2c3b9-ff7a-46b2-b359-9ec4ec13487b","cf_space_name":"lab","deployment":"cf","event_type":"LogMessage","ip":"168.72.186.50","job":"diego_cell-partition-ee9c6bad3843f162447f","job_index":"1","level":"info","message_type":"OUT","msg":" INFO [io-8080-exec-18] c.c.c.l.c.f.CCPLoggingContextFilter c.c.c.l.c.f.CCPLoggingContextFilter.postProcess(CCPLoggingContextFilter.java:187) - POST|/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e|9207ccf1-056e-41f9-be87-72e702ddf93c|US|GCB|MBK||METRICS|ResponseCode=200|ResponseTime=44","origin":"rep","source_instance":"0","source_type":"APP","time":"2017-01-25T22:47:16Z","timestamp":1485384436812148138}
↧
↧
Need to extract a field
here is a small piece of an event in my log:
;GET.SVC.INFO 01-25-17 404<
it starts with a semi-colon and contains the text GET.SVC.INFO a space and then the data formatted as mm-dd-yy and then a space followed by the user id which in this case is 404 followed by an ampsersand lt and an ending semi-colon
I would like to extract the user id at index time as a field name myuserid
thanks
↧
Eval Field Results Empty
Hello,
I have searched some of the previous questions, but none seem to pertain to my problem. I am running the below query:
| jirarest jqlsearch "type = *(typename)* AND \"Environment Type\" = *(environmenttype)* AND (\"Environment Name\" in (*(environmentname1)*, *(environmentname2)*, *(environmentname3)*) OR \"Environment Name\" is EMPTY) AND createdDate >= startOfMonth()" | eval Created=strptime(Created, "%d:%m") | table Created
The query returns table rows as if it is finding results, but all of the rows are blank. The field I am evaluating is a date/time field, but it has more data than I need, and I am also trying to present it in a more easily readable format.
Any insight anyone may have will be greatly appreciated. Thank You.
↧
Need to dedupe same value in pivot on different row and column
I have a pivot table with data, but I need to find the number of times these values occur. However, a user can input the same value in different fields causing the same value to appear on different rows and in different columns. How can I dedupe across all rows and columns to return the single value and total count it occurs.
For example:
Pivot
Col1 Col2 Col3
Here NULL NULL
NULL There Anywhere
Here NULL Here
Here Here NULL
↧
Unable the save the Search in Dashboard Panel
I am using the following search to get all indexes and sourcetypes. But I am unable to add the search to a dashboard panel. XML seems to escape the text correctly but doesn't bring back any results.
| eventcount summarize=false index=* index!=_* | dedup index | fields index
| map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index SourceType TotalEvents FirstEvent LastEvent
↧
↧
How can I dedup across rows and columns in a pivot table?
I have a pivot table with data, but I need to find the number of times these values occur. However, a user can input the same value in different fields causing the same value to appear on different rows and in different columns. How can I dedup across all rows and columns to return the single value and total count it occurs?
For example:
Pivot
Col1 Col2 Col3
Here NULL NULL
NULL There Anywhere
Here NULL Here
Here Here NULL
↧
Why am I unable to add my search to a dashboard panel?
I am using the following search to get all indexes and sourcetypes. But I am unable to add the search to a dashboard panel. XML seems to escape the text correctly but doesn't bring back any results.
| eventcount summarize=false index=* index!=_* | dedup index | fields index
| map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index SourceType TotalEvents FirstEvent LastEvent
↧
How should I create a software installation alert?
Question : I'm trying to install software on some devices & if the install fails, I should know and in which step it failed?
Ideally i want to present a report/dashboard. also I would need to set up an alert.
I have data being logged for each installation step in Splunk. Mostly data in json fomrat.
it has time timestamp,device id, & install step info
what i should be reading in terms of docs & any pointers to approach the problem?
↧
How to convert my two searches into tstats searches?
Hey everyone,
I need a little assistance converting these 2 searches (one is a pivot search) I have into `tstats` searches.
1. `| pivot Expweb_Tracelog_Service Service_Events count(Service_Events) AS "Count of Service_Events" SPLITROW _time AS _time PERIOD auto SPLITCOL eventName FILTER eventName is service:SoftvoyageService* FILTER success is false SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1`
2. `index = exp sourcetype = expwebtracelog splunk_server_group = ewe host = cheXwbtexweb10* eventName=service:SoftvoyageService* OR eventName=ThreePP* | stats count AS Total count(eval(success="true")) AS Successful count(eval(success="false")) AS Failed by eventName | eval "SuccessPercent"=(Total-Failed)/Total*100`
Thanks,
↧
↧
How to rewrite metadata using the values of a few keys in the event data?
We are looking at [potentially] adding an abstraction layer in between a host and the indexers but we of course lose the metadata so key to spunk. We are looking to use fluentd as the abstraction layer/data pipeline. In many cases, I have a nice json output with key/value pairs but I would like to use the values of a few keys to rewrite the metadata (host, index, source, sourcetype). So lets say we have this:
{"sourcetype":"fluentd","index":"main"}
How do I carve out those field and rewrite them as metadata? It seems that I need use a regex, can't I use the keys?
Any help is much appreciated!
↧
How can we show or display application response time based on session id?
hi,
we running load test on 6 of the micro services and each has different API. we are indexing those logs into Splunk for monitoring.
log has a details like org name,app name,session id,uri,msg,ResponseTime,ResponseCode etc
i extracted all them in Splunk and each has some values.
session id we can find after endpoint
/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e
/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e
incoming flow always starts from application app-ca-sit and makes a call to app-sso-sit, this process and complete the request and see this app alone responsetime in 2nd log
1st log also shows responsetime but it gives you the total response time of both micro services.
how can we show or display application response times in order? i am attaching sample diagram which has a good understanding.
<6>2017-01-25T22:47:16Z 0ke4hjl7eph doppler[22]: {"cf_app_id":"012b7380-c96c-46e6-a57e-b96fd1f7266c","cf_app_name":"app-ca-sit","cf_ignored_app":false,"cf_org_id":"fd12558e-ddaf-4dd2-91b3-85f28ccd27f3","cf_org_name":"SYSTEM","cf_origin":"firehose","cf_space_id":"f9e2c3b9-ff7a-46b2-b359-9ec4ec13487b","cf_space_name":"lab","deployment":"cf","event_type":"LogMessage","ip":"168.72.186.55","job":"diego_cell-partition-ee9c6bad3843f162447f","job_index":"6","level":"info","message_type":"OUT","msg":" INFO [nio-8080-exec-3] c.c.c.l.c.f.CCPLoggingContextFilter c.c.c.l.c.f.CCPLoggingContextFilter.postProcess(CCPLoggingContextFilter.java:187) - POST|/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e|9207ccf1-056e-41f9-be87-72e702ddf93c|US|GCB|MBK||METRICS|ResponseCode=200|ResponseTime=53","origin":"rep","source_instance":"0","source_type":"APP","time":"2017-01-25T22:47:16Z","timestamp":1485384436814105817}<6>2017-01-25T22:47:16Z v2d4vnhslen doppler[19]: {"cf_app_id":"6b3e0a17-c90e-4921-8bb5-d01dbc4fc768","cf_app_name":"app-sso-sit","cf_ignored_app":false,"cf_org_id":"fd12558e-ddaf-4dd2-91b3-85f28ccd27f3","cf_org_name":"SYSTEM","cf_origin":"firehose","cf_space_id":"f9e2c3b9-ff7a-46b2-b359-9ec4ec13487b","cf_space_name":"lab","deployment":"cf","event_type":"LogMessage","ip":"168.72.186.50","job":"diego_cell-partition-ee9c6bad3843f162447f","job_index":"1","level":"info","message_type":"OUT","msg":" INFO [io-8080-exec-18] c.c.c.l.c.f.CCPLoggingContextFilter c.c.c.l.c.f.CCPLoggingContextFilter.postProcess(CCPLoggingContextFilter.java:187) - POST|/public/sso/keepalive|79BF94E2-8165-b302-2869-28cc942d6e|9207ccf1-056e-41f9-be87-72e702ddf93c|US|GCB|MBK||METRICS|ResponseCode=200|ResponseTime=44","origin":"rep","source_instance":"0","source_type":"APP","time":"2017-01-25T22:47:16Z","timestamp":1485384436812148138}
↧
How to extract a field in my sample event log?
here is a small piece of an event in my log:
;GET.SVC.INFO 01-25-17 404<
it starts with a semi-colon and contains the text GET.SVC.INFO a space and then the data formatted as mm-dd-yy and then a space followed by the user id which in this case is 404 followed by an ampsersand lt and an ending semi-colon
I would like to extract the user id at index time as a field name myuserid
thanks
↧