I am trying to create a bubblechart based on this search, also seen in image below.
source="*wineventlog:security" sourcetype="*wineventlog:security" EventCode=4624 OR 4625 OR 4649 OR 4724 OR 4732 OR 4740| timechart span=1h count(EventCode) by EventCode
I have tried different methods to create something similar to the edited bubblechart image below, but with no success so far. I hope someone here can possibly help me achieve this, if it is even possible?
I can see that i probably would need to get the eventcodes in a own columns, and probably the same with the count...but how?
You've got two issues.
First, the OR has to still be using the field name for the comparisons (EventCode=4724 OR EventCode=4740...). Or you can use EventCode IN("val1","val2"...)
Second, you can simplify the count(EventCode) to count.
Try this:
source="*wineventlog:security" sourcetype="*wineventlog:security" EventCode IN("4624","4625","4649","4724","4732","4740")
| timechart span=1h count by EventCode
Related
I have a search that is working fine
index=event_db environment=prod release = 2020150015
| timechart count as Events
However, I'd like to modify this to search for any release in an array of releases. I'm aware of the "in" operator.
The catch is that the array of releases I've been provided ("Releases") is formatted slightly differently like so:
[ver2020.15.0015, ver2020.15.0016, ver2020.22.0019] // in general, many more than 3!
Is there a way to use the in operator and some mapping to get
release in
[2020150015, 2020150016, 2020220019] ?
Can this be put in the search?
This is part of a panel so if it's simpler I could have code elsewhere to convert [ver2020.15.0015, ver2020.15.0016, ver2020.22.0019] into [2020150015, 2020150016, 2020220019]
However, as mentioned I'm a newbie so my knowledge of where to put code to transform an array is limited :)
I have a fieldset section and a panel with a query in it.
The "Releases" array is populated in the fieldset section as so:
<input type="text" token="Releases">
<label>Release or Releases</label>
<default>*</default>
</input>
The user enters ver2020.15.0015 or perhaps ver2020.15.*.
I can't just have the user enter 2020150015 as the ver2020.15.0015 format is used elsewhere.
Perhaps there's a way to create new field Releases_Alt right after getting this?
Let me know of any other info I can provide. As I said, I'm new to Splunk so I'm still struggling with terminology.
Try this query. It uses a subsearch to build the IN argument. Subsearches in Splunk run before the main search and the output of the subsearch replaces the subsearch itself.
index=event_db environment=prod release IN (
[ | makeresults
| eval Releases=replace ($Releases|s$, "[ver\.]+","")
| return $Releases ] )
| timechart count as Events
The makeresults command is there because even subsearches have to start with a generating command. makeresults creates a "dummy" event that allows other commands to work.
The eval command does the work of converting release versions into the desired format. Note the use of |s with the Releases token. This construct ensures the contents of the token are enclosed in quotation marks, which is expected by the replace function.
Finally, the return command with $ returns the results of the eval, but without the field name itself. Without it, the subsearch would return releases="2020150015, 2020150016, 2020220019", which wouldn't work.
I am trying to run the following query
index=one /thispath/file*.pdf
I know that using wildcards in the middle of a string is not recommended, but I have too many different files: file001.pdf, fileabc.pdf and others.
What can I do? I am more worried about bogus results than processing speed.
Thanks!
It's not recommended, but it works. Just do it.
index=one "/thispath/file*.pdf"
I think you could do this one of 3 ways, actually, depending on your needs:
| makeresults | eval field="/thispath/fileone.pdf"
tell splunk to look for both the beginning and end of something
| search field="/thispath/file*" AND field="*.pdf"
filter after the event search using wildcards
| where like(field, "/thispath/file%.pdf")
filter after the event search using regex
| where match(field, "/thispath/file.*.pdf")
I've gone around in circles on the web trying to find any relevant information, including the API Docs, for ordering results by ASC/DESC order...
/task/search?name=NAME HERE&percentComplete=0&fields=plannedCompletionDate,project:status,project:name,project:plannedCompletionDate
I want to be able to have my results ordered by plannedCompletionDate instead of having to do it in code.
you can do this by adding
plannedCompletionDate_Sort=asc
so your call would be
/task/search?name=NAME HERE&percentComplete=0&fields=plannedCompletionDate,project:status,project:name,project:plannedCompletionDate&plannedCompletionDate_Sort=asc
If you need to sort by string (i.e. project name) you can also use name_Sort=ciasc to get case insensitive results:
/project/search&method=GET&status=CUR&name_Sort=ciasc&fields=name
Credits: Blue Agave and Hamlet Hakobyan
Think of this scenario,
If I add two user entries to people picker(multiple selection is permitted) field.
I need to count these entries using java script/Jquery(Output what i want is: 2).
how can I do this. Is there any built in methods??
Try this:
$('#idOfPeoplePicker div.ms-inputuserfield>span.ms-entity-resolved').length
I'm just starting out with the Google Analytics API and am wondering if it's possible to compare two dimensions via an operand in the filters I pass in the query. And by wondering I mean I've tried it, but have had no success.
Specifically I'm trying to compare 2 custom variable values. One holds the user who created a post (customVarValue3), the other the user who is viewing the post (customVarValue5). I want to get the pageviews only for the visitors who are not also the creator. The filter looks like this (without urlencoding applied):
ga:customVarValue3!=ga:customVarValue5
The full query (url encoded) looks like this:
https://www.google.com/analytics/feeds/data?ids=ga%3Axxxxxx&dimensions=ga%3AcustomVarValue1%2Cga%3AcustomVarValue2%2Cga%3AcustomVarValue3&metrics=ga%3Apageviews&filters=ga%3AcustomVarValue3!%3Dga%3AcustomVarValue5&sort=-ga%3Apageviews&start-date=2012-02-09&end-date=2012-02-23&max-results=50
However, it returns the same results (and I know there are results where ga:customVarValue3 == ga:customVarValue5).
Probably it isn't possible, but I just wanted to see if anyone knew how to achieve this or has a workaround or something.
No, it is not possible using the GAv3 API in its present state. You can, however, get all the results by using the specified two custom variables as the dimensions for a report, and programmatically filter out the unnecessary results.
Some simple construct like
for(var item in collatedResultsListwithDimensions) {
for(var row in item.rows) {
if(row[0]!=row[1])
newResultRows.push(row);
}
}
Now your newResultRows will have those rows where row[1]!=row[0] assuming the two custom variables you mentioned are the first two dimensions.