Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tags not showing in this search....

Josh
Path Finder
‎06-14-2010 10:11 AM

Hi I have a search which is returning the tags in the display, the tags work as I report on these tags in all of our searchs. Can anyone see anything specific in the search which would stop tags from working? (This does not work even when I take our the rename and the field also reports as blank in the search results)

index="os" tag::host=*Jets*  | rename tag::host as environment | multikv fields PID    COMMAND ARGS | search COMMAND="jrr*" ARGS !=*getStates* | stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min | eval end=max | eval start=min | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(end) | eval uptime=max-min | eval hour=floor(uptime/3600) | eval minute=floor((uptime-(hour*3600))/60) | eval seconds=uptime-(hour*3600)-(minute*60) | strcat hour ":" minute ":" seconds duration | rex field=ARGS "-[a-zA-Z\.\=\/\_\-\:0-9\,]*.BootIdentityFile=servers\/(?<instance>[a-z0-9]*)\/data" | sort host, instance, PID | eval now=time() | eval diff=floor(now-max-180) | eval diff=if(diff<=0,0,diff) | eval status=diff | fillnull value=admin instance | replace 0 with "RUNNING" in status | replace "1" with RUNNING in status | eval status=if(isint(status),"PID NOT UP",status) | eval hours2=floor(diff/3600) | eval mins2=floor((diff-(hours2*3600))/60) | eval seconds2=diff-(hours2*3600)-(mins2*60) | dedup host, instance | strcat hours2 " Hours " mins2 " minutes " seconds2 " seconds" downTime| fields host, environment, instance, PID, start, end, duration, status, downTime | rename duration as Up_time

tags are reporting

Field not reported in search results

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-14-2010 02:51 PM

Wow. That's quite a search command!

After reading this a few times, I think I see your issue. The environment field is being dropped by your stats command. You are keeping host, but that does not keep the tag::host field. You could fix this by including tag::host in your list of grouping fields (the by clause), but I suggest using the tags command instead....

Try using this:

| stats ... | tags host | rename tag::host as environment

If you don't mind, here are a few other comments on way to slightly simplify your search. None of this is major stuff, but you may find one of these helpful.

  • You can drop some renames by using the "as" in the stats command.

So this:

| stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min

Could be written as:

 | stats max(_time) as max, min(_time) as min by PID, ARGS, host

  • The convert command can do multiple conversions at once. So could could combine them both as:

    | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) ctime(end)

  • I noticed that your regular expression in the rex command has a bunch of unnecessary escape sequences.

    | rex field=ARGS "-[a-zA-Z.=/_:0-9,-]*.BootIdentityFile=servers/(?<instance>[a-z0-9]*)/data"

(Note that I moved the "-" to the end of your character range matching. Otherwise the "-" gets seen as a character range definition rather than the literal character "-". If you are used to perl or awk, sometimes you do need a bunch of extra backslashes, but they aren't necessary as part of the regex itself, so you don't need them here.)

  • You can do multiple replace operations in one command.

So this:

| replace 0 with "RUNNING" in status | replace "1" with RUNNING in status

could be written as:

| replace "0" with "RUNNING", "1" with RUNNING in status

On a second look, perhaps you may want to replace all three of your status renaming commands and use a single eval command using the case statement. I'm not sure what's best, but it may be something to consider.

  • It may be possible to take your hour/minute/second to a single "duration" field logic and stick that in a macro. But your using two different formats at the end, so that may not be worth it. As always, using a macro would help the readability of your search, but wouldn't help the run-time performance of your search.

That's it. You have quite an impressive search going on and perhaps one or two of these ideas will help keep it more manageable. (BTW, I haven't tested any of these, so I'd only try making one change at a time.)

Best of luck!

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-14-2010 02:51 PM

Wow. That's quite a search command!

After reading this a few times, I think I see your issue. The environment field is being dropped by your stats command. You are keeping host, but that does not keep the tag::host field. You could fix this by including tag::host in your list of grouping fields (the by clause), but I suggest using the tags command instead....

Try using this:

| stats ... | tags host | rename tag::host as environment

If you don't mind, here are a few other comments on way to slightly simplify your search. None of this is major stuff, but you may find one of these helpful.

  • You can drop some renames by using the "as" in the stats command.

So this:

| stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min

Could be written as:

 | stats max(_time) as max, min(_time) as min by PID, ARGS, host

  • The convert command can do multiple conversions at once. So could could combine them both as:

    | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) ctime(end)

  • I noticed that your regular expression in the rex command has a bunch of unnecessary escape sequences.

    | rex field=ARGS "-[a-zA-Z.=/_:0-9,-]*.BootIdentityFile=servers/(?<instance>[a-z0-9]*)/data"

(Note that I moved the "-" to the end of your character range matching. Otherwise the "-" gets seen as a character range definition rather than the literal character "-". If you are used to perl or awk, sometimes you do need a bunch of extra backslashes, but they aren't necessary as part of the regex itself, so you don't need them here.)

  • You can do multiple replace operations in one command.

So this:

| replace 0 with "RUNNING" in status | replace "1" with RUNNING in status

could be written as:

| replace "0" with "RUNNING", "1" with RUNNING in status

On a second look, perhaps you may want to replace all three of your status renaming commands and use a single eval command using the case statement. I'm not sure what's best, but it may be something to consider.

  • It may be possible to take your hour/minute/second to a single "duration" field logic and stick that in a macro. But your using two different formats at the end, so that may not be worth it. As always, using a macro would help the readability of your search, but wouldn't help the run-time performance of your search.

That's it. You have quite an impressive search going on and perhaps one or two of these ideas will help keep it more manageable. (BTW, I haven't tested any of these, so I'd only try making one change at a time.)

Best of luck!

Reply
Solved! Jump to solution

Josh
Path Finder
‎06-14-2010 03:54 PM

Thanks I missed that in the search, also thanks for the useful tips in reducing the search text 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...