![]() (And for extra credit, how would I redo the first query to do option 1 and 2? I keep trying to modify the query and does not give me the expected results. How could I redo that query to omit the count field? This is fine except when I turn this into a bar chart, the count column skews the other values (since it is so much larger). However, this includes the count field in the results. I have tried option three with the following query: normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 I don't really know how to do any of these (I'm pretty new to Splunk). Show only the results where count is greater than, say, 10. There are 3 ways I could go about this:ģ. I'd like to remove that result so I just show the three, because I am interested in the visualization of this (and I don't want a random 4th result). In fact, there are only 2 or 3 logs of the "successfullogin" whereas there are 40,000+ of all the other. The "successfullogin" exists in the logs because of tests done against the production environment, but doesn't reflect useful data. This is to prevent users from potentially crashing splunkd or python. Example:1 indexinfo table time,raw stats first (raw) Explanation: We have used stats first (raw), which is giving the first event from the event list. TIPS & TRICKS Help I can’t export more than 10,000 events By Splunk AugI f you’ve ever tried exporting lots of events from Splunk UI then you probably know that there’s a hardcoded max of 10,000 lines. ![]() This function is used to retrieve the first seen value of a specified field. So an issue I run into is it matches both where detail equals "successfulLogin" as well as "successfullogin" (with a second lowercase L). This function takes only one argument eg: first (fieldname) 2. Stats avg(elapsed), median(elapsed), p90(elapsed) by detail In all of these methods only top 10k records are showing in the statistics section. I have tried to display the results using stats command, table command, chart command and fields + table command. I have an example query where I show the elapsed time for all log lines where detail equals one of three things, and I show the stats of the elapsed field: normalized_source=http_plugin (detail=/online/public/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | When I run the search query to display the ID and name, only top 10,000 records are displaying.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |