Forums: SplunkReporting

Two questions, both relating to number formatting. I'm looking for some search command (or preferably an "eval" expression) to accomplish the following: 1.) Pad a number to a certain number of digits. (Like in python or C, you can say {{"%06d"}} to 0-fill a number to 6 digits). Is there existing ...

I'm building a form with 3 inputs: 2 of them are true/false fields and the last input is a time field. Then, in a panel I'm running a search with the purpose of computing the percentage on how much time that true/false combination occurred within the time interval defined. For doing so, I need to ...

I've added a number of counters to the summary index using a sitimechart function and I have events like this: 03/05/2010 14:29:00, search_name=host processing, search_now=1267799400.000, info_min_time=1267799100.000, info_max_time=1267799400.000, info_search_time=1267799411.275, orig_host=hosts.platforms, ...

We have a daemon that accepts connections from our billing system. There are times when the connection will stay open, but the billing system daemon will stop sending data. Because of the system we use and their outrageous expense to fix things we have just had to deal with it when it stops communication. ...

My query that I saved as shown in the "Searches and Reports" management interface: {{info host="*db*" oracpu [ search info host=*db* oracpu | extract pairdelim=" ",kvdelim="=" | stats max(load) by host | sort 5 -"max(load)" | fields host ] | extract pairdelim=" " , kvdelim="=" | timechart span="1m" ...

Hi all, I'm currently trialling Splunk and we've been asked to see whether this is capable of showing the number of pages a user has printed out in a daily basis over a period of time. Now what I've been able to do is use Splunk to filter the system event logs on our print servers and specify ...

Hi, I created several form search views using the simple XML. The 90% use case is going through them view by view selecting a host and a time range as arguments to the view. While the result is great, the manual navigation is a little tedious. I wondered is there a way to automate this, e.g. ...

About 60 servers logging load to syslog. I want a timechart of the load of the 5 servers with the highest max load for the timeframe. I've floundered badly trying to find a way to do it. Gotten as far as a listing of the top 5 hosts. But then how do I grab those hosts and pipe into a timechart command ...

I am trying to use the rename command to rename multiple fields in a search. I have tried: | rename foo as bar, egg as spam and | rename foo as bar | rename egg as spam neither method works. | rename foo as bar works of course. Is there a way to rename multiple fields? They ultimately ...

Need to report min&max login/logoff for user for each daya for a span of 2 months. Anyone know how to do that?

In a simple dashboard I have a report whit values every 5 minutes (Say: 288 values per day). The line chart for 24h looks good. But when I change the time to 7 days or 30 days, then the data are compressed to 8 or 31 values. In this case, the graphic is no longer meaningful. With the span option I can ...

Hi. I have the following search: sourcetype="*access*" | chart dc(remote_host) by remote_host It will chart the list of unique IPs that have hit our webservers. However, I'd like it to show me each unique IP and tell me how many times that IP has accessed the web server. Is there a way to do t...

I want to timechart top CPU_Time values by process. The values are steadily increasing for sample to sample. I applied the "delta" command to determine the CPU time consumed between samples. Now results are fine, except for the first sample, i.e. for delta there is no "previous" value, it seems to ...

I've got a chart that is displaying a count of the different values of a particular field. Is there a setting I can enable to allow a user to change the time interval of the search from the dashboard? Having to click show results, changing the time interval on the search box, clicking show report and ...

In a network with 40+ C4510E Access switches (up to 384 interfaces), I would like to find the top 10 or 50 interfaces, with a particular syslog. It's no problem to find top 10 nodes or interface, but I need to figure out, how to combine hostname and interface in order to locate the specific interface ...

Let's say you have the following eventtypes: eventtype=Section1 eventtype=Section2 eventtype=Section3 eventtype=Section4 You also have the eventtype: eventtype=NotAnError NotAnError overlaps the Section# types because the Section# types contain events that are not errors. When I go to create ...

Many reports (not all - some canned, some custom) are returning with the following error. I'm running version 4.0.5 on Windows. //**500 Internal Server Error BadRequest: [HTTP 400] Bad Request; [{'text': 'In handler \'savedsearch\': Argument "action.summary_index._name" is not supported by ...

Hi, I work with access_common and group user activity into visits using 'transaction'. This works well for determining entry/exit page and visit duration, but I ran into issues calculating the time between subsequent page requests. I tried 'delta' but top no avail. How could the trick be done? index=myindex ...

I have a custom log with a timestamp for each activity in the log, but the log is generated every night. Splunk graphs it as a 1000 events happening at the time the log was imported, instead of 1000 events over the year. How do I get the timechart to use the timestamp attached to each activity? ...

Hi. I wrote a script that will produce an output like this: 0 fscsi0 NORMAL ACTIVE 3518549 0 3 2 1 fscsi1 NORMAL ACTIVE 3520158 0 3 2 I want to extract the "fscsi0" and "fscsi1" as a field named "Adapter". When I ...