Dashboards & Visualizations

Visualize splunk

hazemfarajallah
Explorer

hello
i could collect all the data i need from log , but find it so hard how to Visualize them
here is my of my data item (event)
currprocessid: 0f7befb1-7570-4057-81a7-738d3495500a
currprocessname: 02.Timrapportering
currprocesstype: 0
eventId: error
mainprocessid: 0f7befb1-7570-4057-81a7-738d3495500a
mainprocessname: 2.Timrapportering
pageid: 00000000-0000-0000-0000-000000000000
pagename: Main Page
resourceName: HP4E105402
sessionNumber: 2746
sessionid: 547d706e-abad-46de-bd33-4848d6b37e20
stageid: cbbef370-aa9d-4283-8d7c-590a56d5e766
stagename: System Exception
when: 2019-08-14T11:56:52.0946127Z

trying to collect last top 20 item with when , main process name , and currprocesstype ,resourceName any tips how to query them

what i reached source="BP" | fields + c_time, ResourceID, mainprocessname, currprocesstype
| convert timeformat="%H:%M:%S" ctime(_time) AS c_time
| fields - _raw, c_time

Works as table in search but when i get to the dashboard and select limit top, its not working

Tags (2)
0 Karma
1 Solution

Sukisen1981
Champion

hi @hazemfarajallah

this code in your 3rd line - | eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z")
gives no output for the field time, replace this with
eval time =strptime(t,"%Y-%m-%dT%H:%M:%S.%7NZ")
after that replace the earliest(when) with earliest(time) in your stats

View solution in original post

0 Karma

Sukisen1981
Champion

hi @hazemfarajallah

this code in your 3rd line - | eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z")
gives no output for the field time, replace this with
eval time =strptime(t,"%Y-%m-%dT%H:%M:%S.%7NZ")
after that replace the earliest(when) with earliest(time) in your stats

0 Karma

Sukisen1981
Champion

hi @hazemfarajallah Please accept the answer if it helped you significantly resolve your issue

0 Karma

hazemfarajallah
Explorer

Absolutely,
I have little question about 1=1,

|eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated" , 1=1,"Running" )

If the process running it shows running, but when its completed its show running and completed is there any way to overwrite the result

0 Karma

Sukisen1981
Champion

hi @hazemfarajallah
The issue is you are using a case statement here, so 1=1 is a 'always true' condition.
ideally you should use if here and try to assign the different status value, for example
|eval Status = if(eventId="endProcess","Completed",if(eventId="error","Terminated",if(eventId="something else","something else","deafult status")))
You have to assign a value for status for all scenarios

0 Karma

hazemfarajallah
Explorer

aha i understand is it possible to use * than without only endProcess or error?

Because the eventId can be very different from a process to another

0 Karma

Sukisen1981
Champion

hi @hazemfarajallah
Not clear about your question, where do you want to use *?
you can set a value in the default status quotes, this will get assigned to status if none of the if conditions match

0 Karma

hazemfarajallah
Explorer

I meant to get all eventID select * ,
so I don't have to see all eventID values.

i want to eval everything except these two case's error and completed.

0 Karma

hazemfarajallah
Explorer

ok i did this i think my group by is worng |stats earliest(time) AS startTime latest(time) AS endTime by mainprocessname,ResourceID,Status
if i leave as only by mainprocessname then i get the latest but no time stamp ... not sure where is my bug

0 Karma

hazemfarajallah
Explorer
"source="BP"
| eval t = when 
| eval time =strptime(t,"%Y-%m-%dT%H:%M:%S.%7NZ") | dedup 1 sessionNumber sortby -time  
| eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
|stats earliest(time) AS startTime latest(time) AS endTime by mainprocessname,ResourceID,Status | eval DurationSeconds=(endTime - startTime) 
| eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| table startTime,endTime , mainprocessname , ResourceID,Status 
| rename mainprocessname as "Process" , ResourceID as "Runtime resource",startTime as "Start time", endTime as "End time""
0 Karma

Sukisen1981
Champion

@hazemfarajallah - Hang on a bit 🙂
Firstly, remove all code after your stats and just confirm if the stats output is correct and as per your expectation.
for example i cannot see what is ResourceID, i can see something like resourceName.
even before you check the stats, please check whether each of the eval is giving you the expected result.
You need to debug your code almost line by line, trust me that is easier than just changing a bit of stuff here and there in a large query and hoping that things will work.
Is Status coming out as expected, what happens if you have evetId different from endprocess or error..please verify

0 Karma

hazemfarajallah
Explorer

''source="BP"
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname
|table startTime,endTime , mainprocessname

this shows this time but its not formated
here is my sample of event .
currprocessid: ae5a9eff-1c7a-48fa-acfa-e2145d06f35f
currprocessname: 04 - Ändra fakturasätt
currprocesstype: 0
eventId: startDecision
mainprocessid: ae5a9eff-1c7a-48fa-acfa-e2145d06f35f
mainprocessname: 04 - Ändra fakturasätt
pageid: 47e58161-0f42-47cc-aa94-af755a8de010
pagename: Change Invoice Type
resourceName: HP20082212
sessionNumber: 3310
sessionid: c557c373-5632-4eb7-a321-f63f73cc1c34
stageid: 33e7422a-4f28-4c41-a408-513d1d704d23
stagename: 9 siffror?
when: 2019-08-16T08:03:20.8916931Z

0 Karma

Sukisen1981
Champion

where is resourceid that you are using in your stats command in the above event?
And you will have to reformat the time back
|eval startTime =strftime(startTime ,"%Y-%m-%dT%H:%M:%S.%7NZ") |eval endTime=strftime(endTime,"%Y-%m-%dT%H:%M:%S.%7NZ")
Once again, what is resourceid and what about the status field like i asked before

0 Karma

hazemfarajallah
Explorer

sorry, i posted as answer,
my resourceid now resouceName , status is from eval my event id, but having problem with the group by due i cant show the status in the table
`source="BP"
|eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname
|eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")

|table startTime, endTime , mainprocessname,Status`

0 Karma

Sukisen1981
Champion

hi @hazemfarajallah
You can not see the status in your table because you are only doing a stats by mainprocessname.
Now, if you add status to the stats like | stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,status what output do you get?
Once again, remove all code after the stats and first verify that the stats is correct. it should give you output by mainprocess and status if the stats is correct

0 Karma

Sukisen1981
Champion

hi @hazemfarajallah
Please let us know if your issue is solved or do you still need some more help on this?
If you issue is solved, please let me know if I can convert the comment into an answer for your acceptance

0 Karma

hazemfarajallah
Explorer

Hi @suskisen
Very big thanks, I started to follow your idea line by line and fixed almost all th problem
thanks

0 Karma

hazemfarajallah
Explorer

Status I got from converting the event id eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
and resourceId should use resourceName (MY big mistake)
I did what you said line by line 🙂 BIG thanks
now everything in a place you was right
as source="BP"
| eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,Status,resourceName
|eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|table startTime,endTime , mainprocessname,Status, resourceName

`
All in a place 🙂

0 Karma

Sukisen1981
Champion

need to provide better data, either you have really hit a bug (as unlikely as it gets..) or you are probably doing something wrong with time ranges / user roles when you save the table as a panel in a dashboard.
Can you elaborate more? There is no way (well, you can never say no so a very very small chance) that what works as a table won't work in a dashboard.

hazemfarajallah
Explorer

sorry im back here
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,ResourceID,Status
i cant get real time when i use earliest as start time ..
when= when the process start
any suggistions

here is my query
source="BP"
| eval t = when
| eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z") | dedup 1 sessionNumber sortby -time

|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,ResourceID,Status | eval DurationSeconds=(endTime - startTime) 
| eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| table startTime,endTime , mainprocessname , ResourceID,Status 
| rename mainprocessname as "Process" , ResourceID as "Runtime resource",startTime as "Start time", endTime as "End time"
0 Karma

hazemfarajallah
Explorer

I am trying to get it in real time.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...