topic Re: Field results in Splunk Search

Field results

katouoma — Tue, 29 Sep 2020 18:56:39 GMT

Hi everyone,
I'm new in Splunk and I want some help from you (please).

Here is an image to explain what i'm trying to do:

For the field6 i have (for example) one code with 4 results in field5 with their time in field2. So i want to calculate the time (field2) for each 2 results of one code (qr.webservice.server.operation.response qr.webservice.server.operation.request) and (qr.ctg.GE01.response qr.ctg.GE01.request).

Here is what i've done until now:
sourcetype="bigdata:pf:itoa:frontend:java:qr" host=S00VA9939084
field5="qr*" AND field5!="qr.clientsweetdev.person.context" AND field6="H*"
| table field6 , field5 , field2

Thank you

Re: Field results

mayurr98 — Fri, 06 Apr 2018 13:08:52 GMT

What do you want to calculate exactly? It would be better if give us the expected output table as well for input table.

Re: Field results

katouoma — Fri, 06 Apr 2018 14:09:38 GMT

I want to calculate the duration between:
- qr.webservice.server.operation.response & qr.webservice.server.operation.request
- qr.ctg.GE01.response & qr.ctg.GE01.request
Here is an example:

I don't know if it's possible !

Or even like this:

Re: Field results

HiroshiSatoh — Fri, 06 Apr 2018 14:40:22 GMT

Try this!

･･･
| table field6 , field5 , field2
| eval  field5=rtrim(field5,".response"),field5=rtrim(field5,".request")
| stats min(field2) as start,max(field2) as end by field6 ,field5
| eval dur=strptime(end,"%H:%M:%S,%3Q")-strptime(start,"%H:%M:%S,%3Q")
| table field6 , field5 , dur

Re: Field results

mayurr98 — Fri, 06 Apr 2018 15:13:47 GMT

Hey

try this [TESTED]

<your query so far>| table field6 , field5 , field2 
|  rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q")  | stats min(field2) as request,max(field2) as response by field6 ,new 
|  eval dur=response-request 
|  chart values(dur) over field6 by new

This will give result in seconds you may convert it according your need to minute or hour in |eval dur= using conversion logic
let me know if this helps!

Re: Field results

katouoma — Mon, 09 Apr 2018 07:28:55 GMT

Thanks a lot for your response, the result looks like the seconde table 😄 Perfect

Re: Field results

katouoma — Mon, 09 Apr 2018 14:20:41 GMT

Thank you @mayurr98, this is exactly what i'm looking for.

However, i want to alert for example my manager if ctg or webservice is greater than 3s, he will receive an email with the line concerned.

Re: Field results

mayurr98 — Mon, 09 Apr 2018 14:40:09 GMT

Yes you can rename it using rename command.also if you want to add any condition then you can do something like this

| rename webservice as WebService ctg as CTG | where WebService>3 OR CTG>3

Append this at the end of the search

Re: Field results

katouoma — Tue, 10 Apr 2018 08:15:29 GMT

I'm trying to send an email to alert my manager if XEROX or SICLID is greater than 2s, but he didn't receive anything so i think i made a mistake in the trigger condition: