how to get the next value in a column
I have values like this in a column. Lock Unlock Logon Shutdown I want to get the next value and check it with the previous value. i.e If the previous session is lock and next session is unlock the...
View ArticleHow do you debug custom search command: Error in 'script'?
How do I debug following? I have custom search command generatereport that I have developed on Linux, I am using logger to print information I need. Everything works fine there. I even get error with...
View ArticleTime coversion not working
index=asg Process_name=WLR_22-15_Rating earliest =-5m | convert timeformat="%d-%M-%Y-%H:%M:%S" mktime(start_dtm) mktime(end_dtm) | eval duration=end_time-start_time | table duration Data...
View ArticleSplunk nobody user vs Service User
Hi All, We have an environment where the owner of all the Dashboards/Alerts is user 'nobody'. Are there any disadvantages of using the user 'nobody'. Please advise if the best possible way to create a...
View Articleretrieve the messages from the banner at the top of the UI and create a Dasboard
Hi All, Request you to post the query for retrieving messages displayed on the top of the UI so that a Dashboard/report could be created for the messages received. I tried using the below query as per...
View ArticleDynamic alert creation for TSM backup failures
We are monitoring a folder which has multiple ~100 files. Each file is with single line of backup status. I have indexed all the files into splunk. Each line represent below is coming from different...
View Articlesplunk 6.5.7 (so no sentiment) - search based sentiment and/or search based...
Hi all, I am restricted to version 6.5 so don't get the sentiment option and am trying to do some based keyword analysis. my current search lets me isolate all words and count them (simple frequency)....
View ArticleDrilldown on search with strftime eval keeps opening blank search. I have...
search: | makeresults | eval lastModifiedTime = "1570536921" | eval lastModifiedTime = strftime(lastModifiedTime, "%Y-%m-%d %H:%M:%S") | table lastModifiedTime drilldown...
View Articlevalue of field
Hi, I need to take data from field **Source** and calculate this data : **http_400*100/Total+http_500*100/Total+http_300*100/Total** And show in chart. For now I have this: `| eval...
View ArticleSplunk Query
The Splunk report below returns ‘shipping points’ (warehouse codes). Using the lookup table (also below), our job is to sent relevant Splunk results for a shipping point, to the appropriate warehouse...
View Articlereplace string in field value using eval or sed
I have one field(query) value like select * from host where id = 'something' and name = 'xxxxxx' Now I want to replace id and name with '?' I have tried with rex and sed something like rex field=query...
View ArticleIf format wrong colorPalette ?
Any ideas why this won't work tried a few variations if (value ="Running" , "#53A051","#DC4E41") Thanks
View Articleerrormessage "JSON file contents not available." when configure DM in...
Hi all, I want to configure a Datamodel in different apps. On app should define the datamodel (here search). The seconds app should (here: dm_acc) should define schedule and acceleration....
View ArticleSplunk DB connect is not working for DB2 database
Splunk DB connect is not working for DB2 database. Installed drivers for DB2 : db2jcc.jar db2jcc_license_cisuz.jar db2jcc_license_cu.jar PROGRESS_DATADIRECT_JDBC_DB2_ALL.jar Getting license error :...
View ArticleSet time frame of Splunk Dashboard report
Hi, I am working on a dashboard report which i need to schedule bi-weekly i.e. Monday and Thursday morning. I have the Cron expression ready (30 08 * * 1,4) but how do i change the time dynamically?...
View ArticleElasticsearch Data Integrator - Modular Input Errors
Hello, We have installed the latest version of Elastic Search on Splunk configured the inputs.conf but we are getting errors while looking into the logs. https://splunkbase.splunk.com/app/4175/ >...
View ArticleHow to resolve the below issue ?
I have the following query which is giving me all the api which cache value is **HIT** or **MISS**. host=*localTest* sourcetype="perf" Path "/api/*/" cache="MISS" OR cache="HIT" | stats count by...
View ArticleHow to compare two fields from two different searches and display results...
I am running 2 different searches and have to compare the each value in one field with the values in the other field. The display result should show field A values which does not exist in field B....
View ArticleSplunk add-on builder interval REST API data input
How can I include a text box to get time interval from user in splunk addon builder for REST API input?
View ArticleHow do I unset a token if a click value is has the same value?
Hello All, I have a pie chart divided into slices. When I click a slice it sets a token `tok_slice_value` with `click.value` which causes some other fun stuff to happen on the dashboard. If I click on...
View Article