Tuesday 28 April 2015

Splunk searchTemplate / postProcess How To Use Multiple Time Ranges in one form/dashboard

I used this code recently in a Splunk dashboard where i needed to have multple time ranges from one seachTemplate search. This code you can use in a searchPostProcess element to change the time range (in this case to 'yesterday')


eval ADayAgo=now()-86400 | eval yesterdayText=strftime(ADayAgo,"%Y-%m-%d") | eval yesterdayTextEnd=yesterdayText. " 23:59:59" | eval endEpoc=strptime(yesterdayTextEnd,"%Y-%m-%d %H:%M:%S") | where _time >endEpoc-86400 and _time <=endEpoc

Monday 27 April 2015

How to fix issue pasting text with comment # into linux causes subsequent lines of text to get double commented.

From time to time I paste text into scripts and config files into vi/vim on linux and you find doing so corrupts your text because there is a comment character # and every subsequent line gets commented.

If you are color coding you also find all the text after the first comment goes the comment color (say blue on black.)

I'm not a fanatical unix guy so for a long time I worked around this and found it quite infuriating. Here is how to avoid this when it comes up.

To solve this problem do:

  • Before entering insert mode run :set paste.
  • After you leave insert mode with :set nopaste.