![]() the timerange is previous month but the search 2 should run for last 24hrs Index=main sourcetype=rf Severity=High| rename IP as ipv4īelow is the join I am using.I am trying to match the IP and output the host_name, platform ,from search 2. What is the fast approach for the search to run, is it by joining the indexes or using the search1 as inputlookup. The common field is the IPAddress which is ipv4 in search1 and IP in search2. I am trying to join two indexes through a common field but has a different name in the indexes and want to run in different time ranges. | rename user as "User", feature as "FeatureName", startTimeConverted as "CheckoutDate"| table "User", "FeatureName", "VendorDaemon", "User HostName", "License Server", "CheckoutDate", "No.Licenses", "Checkout DurationDays", "Extension" -15m now User ID Long Checked out Licenses Extension Any 8 6 4 2 20,70 | eval stats values(execHost) as "User HostName", values(licServer) as "License Server", values(licCount) as "No.Licenses", values(checkoutDays) as "Checkout DurationDays", values(vendorDaemon) as "VendorDaemon", values(threshold) as "Threshold Limit" by "user", feature, startTimeConverted | lookup local=t ldap_people.csv cn as user OUTPUT mail, Country | where threshold NOT NULL AND checkoutDays > threshold | eval percentageThreshold = round((checkoutDays/threshold)*100) | eval startTimeConverted=strftime(startTime,"%d-%m-%Y %H:%M:%S") | eval checkoutDays=round((now-startTime)/86400) | rename vendor as vendorDaemon, Days as threshold] [| inputlookup LongCheckout_Alert_Features.csv | rename Main.startTime as startTime, Main.feature as feature, Main.hostFile as licServer, er as user, Main.vendorDaemon as vendorDaemon, Main.execHost as execHost User Long Checkouts Report Central DB_Sid This dashboard shows the long license checkouts generated in the last 15 mins |tstats latest(Main.licCount) as licCount, latest(Main.city) as city,latest(Main.geographicalRegion) as geographicalRegion, latest(Main.region) as region, latest(Main.active) as active, latest(rverType) as serverType, latest(rverPurpose) as serverPurpose from datamodel=EDA_RealTime_userV2 where (nodename = Main) Main.vendorDaemon=MLM er=$user$ summariesonly=false by _time span=10m, Main.feature ,er, Main.hostFile, Main.startTime, Main.vendorDaemon, Main.execHost : /storage/temp/274227-splunk-dashboard.jpg Let me know if I need to clarify anything else.In the above dashboard, i want to input the Extension drop down box in each row of the report visible below in the coulmn of Extension. In other words, I want to find the first time that xxname said hello in conversation and how in messages.ĭisplay a table that shows: name,TIME of the last call (corresponding to that name), TIME of the first time the word hello was said in the values of the conversation field, TIME of the first time the word how was said in the values of the messages field. These two fields contain values that look like paragraphs. When it comes to messages and conversations, I want to find the first time that each field had a value containing the specific word(hello and how correspondingly). I can see how that contradicts the purpose of 'join' but I couldn't find another way to do it.ġ. I want to find a way that it displays all the events and that if a certain time (or word) cannot be found then it will just stay blank. As I added the 'join' I could tell that the number of statistics decreased. Both first_hello and first_how, are displaying the same time.Ģ. | table name, call_time, first_hello, first_howġ. | stats earliest(_time) as first_how by name ![]() [ search index=xxx source=xxx sourcetype=xxx messages="\*how\*" | stats earliest(_time) as first_hello by name [ search index=xxx source=xxx sourcetype=xxx conversation="\*hello\*" | stats latest(name) as name, latest(call_time) as call_time Here's what I have so far: index= xxx source=xxx sourcetype=xxx However, I am running into error when I use the earliest command twice. ![]() I am a new splunk user and I want to create a stats table showing different findings of an event using fields. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |