It would appear that on those dates you’ve binned, the earliest login time was from an earlier day It appears you’ve conflated multiple dates in the data into expecting them to be "the same" I would strongly suspect that SesssionStateChangeTime is not the field you want to look at – at least, not in the …
Continue reading Answer by warren for Recording earliest login time for each day
Tag:stackexchange
Answer by warren for How to merge two stats by in Splunk?
This may be what you are looking for index="cumu_open_csv" Assignee="ram" | eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0) | stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created | rename CW_Created as CW | join type=outer CW [| search index="cumu_open_csv" Assignee="ram" | eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0) | stats count(eval(open_field=1)) As DueOpen by CW_DueDate | rename CW_DueDate as CW …
Continue reading Answer by warren for How to merge two stats by in Splunk?
Answer by warren for Describing a field (data dictionary not statistics)
Not as such – unless you "intelligently" name the fields (or field aliases) or eventtypes, you’re going to get whatever the field name is, and whatever the field’s contents are from User warren – Stack Overflow https://stackoverflow.com/questions/63118732/describing-a-field-data-dictionary-not-statistics/63123533#63123533 via IFTTT
Answer by warren for Calculating event throughput in splunk
Use timechart: index=myIndex namespace=myNamespace host=myHost log=\*EVENT_PROCESSED* | timechart span=1h count(EVENT_PROCESSED) as count from User warren – Stack Overflow https://stackoverflow.com/questions/63115125/calculating-event-throughput-in-splunk/63116119#63116119 via IFTTT
Answer by warren for How do i set a token based on the dropdown options in splunk dashboard
Try doing an eval in your search proper: <search> <query>… | eval endpoint="/$service$/$environment$" | … Or try doing an <eval>…</eval> on change from both dropdowns: <input type="dropdown" token="service" searchWhenChanged="true"> <label>service</label> <choice value="capi">capi</choice> <choice value="crapi">crapi</choice> <choice value="oapi">oapi</choice> <default>capi</default> <initialValue>capi</initialValue> <change> <eval token="endpoint">"/"+$service$+"/"+$environment$</eval> </change> </input> <input type="dropdown" token="environment" searchWhenChanged="true"> <label>Environment</label> <choice value="prod">prod</choice> <choice value="ppe">ppe</choice> <choice value="pte">pte</choice> <choice …
Continue reading Answer by warren for How do i set a token based on the dropdown options in splunk dashboard
Answer by warren for Splunk: Escaping “<" ">” from the dashboard’s source code
Use the HTML entity: < & > If you construct a search in the UI view, then go to edit source, you’ll see that’s how Splunk converts it under the hood from User warren – Stack Overflow https://stackoverflow.com/questions/62506677/splunk-escaping-from-the-dashboards-source-code/62526810#62526810 via IFTTT
Answer by warren for rabbitmq integration to Splunk
Always check Splunkbase when looking for ingesting data types – often there exist apps and add-ons that will do what you’re looking for Here are two related to RabbiMQ: JMS Messaging Modular Input – https://splunkbase.splunk.com/app/1317/#/details AMQP Messaging Modular Input – https://splunkbase.splunk.com/app/1812/#/details from User warren – Stack Overflow https://stackoverflow.com/questions/62461168/rabbitmq-integration-to-splunk/62472391#62472391 via IFTTT
Answer by warren for Splunk interesting field exclusion
You can do it this way, too: index=Student_Entry | where isnull(subject) | stats count from User warren – Stack Overflow https://stackoverflow.com/questions/62381716/splunk-interesting-field-exclusion/62390643#62390643 via IFTTT
Answer by warren for Splunk left jion is not giving as exepcted
If you do want to do this with a join, what you had, slightly changed, should be correct: index=”orders” “Online order received” earliest=-9d latest=-8d | rex field=message “paymentHashed=(?<payHash>.([a-z0-9_\.-]+))” | stats values(_time) as onlineOrderTime by payHash | join type=left payHash [search index=”orders” “Telesale order received” earliest=-20d latest=-5m | rex field=message “paymentHashed=(?<payHash>.([a-z0-9_\.-]+))” | rename timestamp as TeleSaleTime …
Continue reading Answer by warren for Splunk left jion is not giving as exepcted
Answer by warren for Delta between two Splunk search results
You can do this without a join like this: index=”xyz-index” userId=* | rename attributes.privateGroups as privateGroups attributes.publicGroups as publicGroups Make sure the privateGroups and publicGroups fields exist in all events | fillnull value=”-” privateGroups publicGroups Because we know fields with “-” in them were filled with fillnull: | eval both=if(privateGroups!=”-” AND publicGroups!=”-“,1,0) | eval inPrivate=if(privateGroups!=”-“,1,0) …
Continue reading Answer by warren for Delta between two Splunk search results
Answer by warren for How to extract contents after the last slash in fields in splunk?
I would do this in a couple distinct steps: | rex field=_raw “:\s+error_code\W+(?<full_path>[^,]+),(?<line>[^)]+)\W+(?<test_path>.+)” Followed by: | rex field=full_path “(?<filename>\w+)$” Followed by: | rex field=test_path “(?<testname>[^\.]+)$” Presuming, of course, there are no dots in the “testname” – this will work 🙂 from User warren – Stack Overflow https://stackoverflow.com/questions/62281287/how-to-extract-contents-after-the-last-slash-in-fields-in-splunk/62282465#62282465 via IFTTT