topic Re: How to generate output/report from unstructured log records in splunk in Splunk Search

How to generate output/report from unstructured log records in splunk

RS — Sun, 04 Feb 2024 05:23:49 GMT

Hi,

I have following log data that are in splunk. Below is example data taken from splunk:

2024-02-04T00:15:15.209Z [jfrt ] [INFO ] [64920151065ecdd9] [.s.b.i.GarbageCollectorInfo:81] [cdd9|art-exec-153205] - Storage TRASH_AND_BINARIES garbage collector report:
Total execution time:    15.25 minutes
Candidates for deletion: 4,960
Checksums deleted:       4,582
Binaries deleted:        4,582
host = hostname.com index = XXXXXX1 source = artifactory-servicesourcetype = artifactory-service

How I can display trend/timechart of "Total execution time" using splunk query group by timestamp and host name for Storage TRASH_AND_BINARIES garbage collector report?

I appreciate any help.

Thanks

Rahul

Re: How to generate output/report from unstructured log records in splunk

gcusello — Sun, 04 Feb 2024 06:43:57 GMT

Hi @RS ,

I suppose that the total execution time is always displayed in minutes, otherwise, you have convert it based on the forma, so, please try, something like this:

index = XXXXXX1 host = hostname.com source = artifactory-servicesourcetype = artifactory-service "Storage TRASH_AND_BINARIES garbage collector report" | rex "Total\s+execution\s+time:\s+(?<minutes>\d+)\.(?<seconds>\d+)" | eval Total_execution_time=minutes*60+seconds | timechart sum(Total_execution_time) AS Total_execution_time BY host

Ciao.

Giuseppe

Re: How to generate output/report from unstructured log records in splunk

RS — Sun, 04 Feb 2024 23:14:09 GMT

Thanks @gcusello. The given query helped me produce the required timechart.

Re: How to generate output/report from unstructured log records in splunk

gcusello — Mon, 05 Feb 2024 06:14:08 GMT

Hi @RS,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: How to generate output/report from unstructured log records in splunk

Rahul-Sri — Fri, 29 Mar 2024 05:07:34 GMT

Hi, In the above query in my dashboard is displaying large numbers. I want to convert those to shorter number with million added to it. For example if the value shows 600,0000 then the result should display 6mil. How I can achieve? I tried using-->

| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|fieldformat count = count/1000000 But this does not work.

Any help is appreciated.

Re: How to generate output/report from unstructured log records in splunk

gcusello — Fri, 29 Mar 2024 06:20:03 GMT

Hi @Rahul-Sri ,

this is another question and it's always better to open a new case, even if this is the followig step to your request, in this way you'll have surely faster and probably better answers.

Anyway, the approach is to use eval not format command and round the number:

| eval count=round(count/1000000,2)."M"

please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: How to generate output/report from unstructured log records in splunk

Rahul-Sri — Fri, 29 Mar 2024 15:58:33 GMT

Hi,

Thanks for quick response. I have tried both the options below:

Option-1

| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|eval status=round(status/1000000,2)."M"

Option-2

| eval status = if(match(status, "20/[0-1]/"), "success(200 and 201)",status)| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|eval count=round(count/1000000,2)."M"

But in my graph I dont see any difference. I still see large number instead of shorten number with M appended.

Below is the output

This is the output which still shows large number.

Re: How to generate output/report from unstructured log records in splunk

gcusello — Sat, 30 Mar 2024 07:24:43 GMT

Hi @Rahul-Sri ,

my solution is only for a table because you transform a number in a string.

if you have to display the result in a graph, you can divide by 1000000 and indicate in the subtitle that the numbers are millions or use a logarythmic scale in the graph.

Ciao.

Giuseppe