https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475148#M133563 <P>ahh, it works and it looks so simple. I guess i was making it harder than it needed to be with trying to use transaction etc. thank you! </P> Tue, 05 Nov 2019 21:54:52 GMT justinsplunk_12 2019-11-05T21:54:52Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475141#M133556 <P>Hi all,<BR /> I'm working with a sample log snippet below.<BR /><BR /> The overall goal is to get stats about long-running operations. I am trying to display the etime, bind_id, conn, and the search_filter for any operation that takes longer than 20 seconds (etime&gt;20).<BR /><BR /> I've tried using "transaction" with conn but I do not know how to manipulate the data afterwards.<BR /><BR /> I am trying to get an output that looks similar to,</P> <PRE><CODE>conn bind_id search_filter etime 65110583 "uid=hello,o=test" "(uid=abc*)" 165 </CODE></PRE> <P>::Log snippet::</P> <PRE><CODE>2019-10-15T08:20:06+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:20:05 -0400] conn=65110583 op=-1 msgId=-1 - connection from 10.10.10.10:1234 to 10.10.10.15 2019-10-15T08:20:06+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:20:05 -0400] conn=65110583 op=0 msgId=1 - BIND dn="uid=hello,o=test" 2019-10-15T08:20:06+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:20:05 -0400] conn=65110583 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=hello,o=test" 2019-10-15T08:20:06+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:20:06 -0400] conn=65110583 op=1 msgId=2 - SRCH base="ou=everyone,o=test" scope=2 filter="(uid=abc*)" attrs="cn" 2019-10-15T08:20:10+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:20:08 -0400] conn=65110583 op=1 msgId=2 - SORT uid (269746) 2019-10-15T08:23:01+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:22:51 -0400] conn=65110583 op=1 msgId=2 - RESULT err=0 tag=101 nentries=269746 etime=165 notes=U 2019-10-15T08:28:42+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:28:34 -0400] conn=65110583 op=2 msgId=3 - UNBIND 2019-10-15T08:28:42+00:00 serverABC ACCESSLOG[15/Oct/2019]: 04:28:34 -0400] conn=65110583 op=2 msgId=-1 - closing from 10.10.10.10:1234 - U1 - Connection closed by unbind client - </CODE></PRE> <P>Thank you.</P> Wed, 30 Sep 2020 02:49:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475141#M133556 justinsplunk_12 2020-09-30T02:49:02Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475142#M133557 <P>Like this:</P> <PRE><CODE>index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" | stats range(_time) AS duration max(etime) AS etime_max sum(etime) AS etime_total BY conn bind_id search_filter | fieldformat duration=tostring(duration, "duration") | fieldformat etime_max=tostring(etime_max, "duration") | fieldformat etime_total=tostring(etime_total, "duration") </CODE></PRE> Mon, 04 Nov 2019 16:45:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475142#M133557 woodcock 2019-11-04T16:45:39Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475143#M133558 <P>try this :</P> <PRE><CODE>index=&lt;your_index&gt; | rex "dn=\"(?&lt;bind_id&gt;[^\"]+)" | rex "conn=(?&lt;conn&gt;\d+)" | rex "filter=\"\((?&lt;search_filter&gt;[^\)]+)" | rex "etime=(?&lt;etime&gt;\d+)" | stats values(bind_id) as bind_id max(etime) as etime_max values(search_filter) as search_filter by conn | where etime_max &gt; 20 </CODE></PRE> <P>If all the required fields are already extracted then don't use the rex expressions.</P> Mon, 04 Nov 2019 17:05:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475143#M133558 mayurr98 2019-11-04T17:05:11Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475144#M133559 <P>thank you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/172209">@mayurr98</a>. this worked for most of the connections. Others have multiple searches in one connection start to end and so I find i need to group by conn and msgId. Im just trying to figure out how to now associate bind_id with the conn. I was thinking maybe some sort of subsearch, appendcols, or join ? Not sure.<BR /> For example:</P> <P>index=xyz host=serverABC <BR /> | rex "BIND dn=(?.<EM>)\smethod" <BR /> | rex "filter=(?.</EM>)\sattrs"<BR /> | stats values(bind_id) as bind_id max(etime) as etime_max values(search_filter) as search_filter by conn msgId<BR /> | where etime_max &gt; 20</P> <P>output:<BR /> conn msgId bind_id etime_max search_filter<BR /> 11001119 3 22 "(uid=abc*)"<BR /> 11001119 2 25 "(uid=123*)"</P> <P>2019-11-05T07:24:27+00:00 serverABC ACCESSLOG[05/Nov/2019]: 02:24:24 -0500] conn=11001119 op=0 msgId=1 - BIND dn="uid=hello,o=test"<BR /> 2019-11-05T07:24:27+00:00 serverABC ACCESSLOG[05/Nov/2019]: 02:24:24 -0500] conn=11001119 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 "uid=hello,o=test"<BR /> 2019-11-05T07:24:27+00:00 serverABC ACCESSLOG[05/Nov/2019]: 02:24:24 -0500] conn=11001119 op=1 msgId=2 - SRCH base="ou=none,o=test" scope=2 filter="(uid=xyz*)" attrs="cn"<BR /> 2019-11-05T07:24:27+00:00 serverABC ACCESSLOG[05/Nov/2019]: 02:24:24 -0500] conn=11001119 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=25<BR /> 2019-11-05T07:24:27+00:00 serverABC ACCESSLOG[05/Nov/2019]: 02:24:24 -0500] conn=11001119 op=2 msgId=3 - SRCH base="ou=everyone,o=test" scope=2 filter="(uid=abc*)" attrs="cn"<BR /> 2019-11-05T07:24:38+00:00 serverABC ACCESSLOG[05/Nov/2019]: 02:24:28 -0500] conn=11001119 op=2 msgId=3 - RESULT err=0 tag=101 nentries=7187 etime=22</P> Wed, 30 Sep 2020 02:52:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475144#M133559 justinsplunk_12 2020-09-30T02:52:42Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475145#M133560 <P>how does your output look like in this case?</P> Tue, 05 Nov 2019 19:42:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475145#M133560 mayurr98 2019-11-05T19:42:09Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475146#M133561 <P>Sorry theres some weird formatting for the splunk search i replied with. The bind_id is blank but everything else is correct. </P> <P>The output is like this:<BR /> conn msgId bind_id etime_max search_filter<BR /> 11001119 3 22 "(uid=abc*)"<BR /> 11001119 2 25 "(uid=123*)"</P> <P>Desired output:<BR /> conn msgId bind_id etime_max search_filter<BR /> 11001119 3 "uid=hello,o=test" 22 "(uid=abc*)"<BR /> 11001119 2 "uid=hello,o=test" 25 "(uid=123*)"</P> Wed, 30 Sep 2020 02:52:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475146#M133561 justinsplunk_12 2020-09-30T02:52:44Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475147#M133562 <P>add this after stats command:</P> <PRE><CODE>| eventstats values(bind_id) as bind_id by conn | where etime_max &gt; 20 </CODE></PRE> Tue, 05 Nov 2019 21:38:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475147#M133562 mayurr98 2019-11-05T21:38:30Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475148#M133563 <P>ahh, it works and it looks so simple. I guess i was making it harder than it needed to be with trying to use transaction etc. thank you! </P> Tue, 05 Nov 2019 21:54:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-stats-to-display-etime-bind-id-conn-and-the-search/m-p/475148#M133563 justinsplunk_12 2019-11-05T21:54:52Z