Knowledge Management

Tags not showing in this search....

Josh
Path Finder

Hi I have a search which is returning the tags in the display, the tags work as I report on these tags in all of our searchs. Can anyone see anything specific in the search which would stop tags from working? (This does not work even when I take our the rename and the field also reports as blank in the search results)

index="os" tag::host=*Jets*  | rename tag::host as environment | multikv fields PID    COMMAND ARGS | search COMMAND="jrr*" ARGS !=*getStates* | stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min | eval end=max | eval start=min | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(end) | eval uptime=max-min | eval hour=floor(uptime/3600) | eval minute=floor((uptime-(hour*3600))/60) | eval seconds=uptime-(hour*3600)-(minute*60) | strcat hour ":" minute ":" seconds duration | rex field=ARGS "-[a-zA-Z\.\=\/\_\-\:0-9\,]*.BootIdentityFile=servers\/(?<instance>[a-z0-9]*)\/data" | sort host, instance, PID | eval now=time() | eval diff=floor(now-max-180) | eval diff=if(diff<=0,0,diff) | eval status=diff | fillnull value=admin instance | replace 0 with "RUNNING" in status | replace "1" with RUNNING in status | eval status=if(isint(status),"PID NOT UP",status) | eval hours2=floor(diff/3600) | eval mins2=floor((diff-(hours2*3600))/60) | eval seconds2=diff-(hours2*3600)-(mins2*60) | dedup host, instance | strcat hours2 " Hours " mins2 " minutes " seconds2 " seconds" downTime| fields host, environment, instance, PID, start, end, duration, status, downTime | rename duration as Up_time 

tags are reporting

Field not reported in search results

Tags (1)
1 Solution

Lowell
Super Champion

Wow. That's quite a search command!

After reading this a few times, I think I see your issue. The environment field is being dropped by your stats command. You are keeping host, but that does not keep the tag::host field. You could fix this by including tag::host in your list of grouping fields (the by clause), but I suggest using the tags command instead....

Try using this:

| stats ... | tags host | rename tag::host as environment


If you don't mind, here are a few other comments on way to slightly simplify your search. None of this is major stuff, but you may find one of these helpful.

  • You can drop some renames by using the "as" in the stats command.

So this:

| stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min

Could be written as:

 | stats max(_time) as max, min(_time) as min by PID, ARGS, host
  • The convert command can do multiple conversions at once. So could could combine them both as:

    | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) ctime(end)

  • I noticed that your regular expression in the rex command has a bunch of unnecessary escape sequences.

    | rex field=ARGS "-[a-zA-Z.=/_:0-9,-]*.BootIdentityFile=servers/(?<instance>[a-z0-9]*)/data"

(Note that I moved the "-" to the end of your character range matching. Otherwise the "-" gets seen as a character range definition rather than the literal character "-". If you are used to perl or awk, sometimes you do need a bunch of extra backslashes, but they aren't necessary as part of the regex itself, so you don't need them here.)

  • You can do multiple replace operations in one command.

So this:

| replace 0 with "RUNNING" in status | replace "1" with RUNNING in status

could be written as:

| replace "0" with "RUNNING", "1" with RUNNING in status

On a second look, perhaps you may want to replace all three of your status renaming commands and use a single eval command using the case statement. I'm not sure what's best, but it may be something to consider.

  • It may be possible to take your hour/minute/second to a single "duration" field logic and stick that in a macro. But your using two different formats at the end, so that may not be worth it. As always, using a macro would help the readability of your search, but wouldn't help the run-time performance of your search.

That's it. You have quite an impressive search going on and perhaps one or two of these ideas will help keep it more manageable. (BTW, I haven't tested any of these, so I'd only try making one change at a time.)

Best of luck!

View solution in original post

Lowell
Super Champion

Wow. That's quite a search command!

After reading this a few times, I think I see your issue. The environment field is being dropped by your stats command. You are keeping host, but that does not keep the tag::host field. You could fix this by including tag::host in your list of grouping fields (the by clause), but I suggest using the tags command instead....

Try using this:

| stats ... | tags host | rename tag::host as environment


If you don't mind, here are a few other comments on way to slightly simplify your search. None of this is major stuff, but you may find one of these helpful.

  • You can drop some renames by using the "as" in the stats command.

So this:

| stats max(_time), min(_time) by PID, ARGS, host | rename max(_time) as max | rename min(_time) as min

Could be written as:

 | stats max(_time) as max, min(_time) as min by PID, ARGS, host
  • The convert command can do multiple conversions at once. So could could combine them both as:

    | convert timeformat="%d/%m/%y %H:%M:%S.%l" ctime(start) ctime(end)

  • I noticed that your regular expression in the rex command has a bunch of unnecessary escape sequences.

    | rex field=ARGS "-[a-zA-Z.=/_:0-9,-]*.BootIdentityFile=servers/(?<instance>[a-z0-9]*)/data"

(Note that I moved the "-" to the end of your character range matching. Otherwise the "-" gets seen as a character range definition rather than the literal character "-". If you are used to perl or awk, sometimes you do need a bunch of extra backslashes, but they aren't necessary as part of the regex itself, so you don't need them here.)

  • You can do multiple replace operations in one command.

So this:

| replace 0 with "RUNNING" in status | replace "1" with RUNNING in status

could be written as:

| replace "0" with "RUNNING", "1" with RUNNING in status

On a second look, perhaps you may want to replace all three of your status renaming commands and use a single eval command using the case statement. I'm not sure what's best, but it may be something to consider.

  • It may be possible to take your hour/minute/second to a single "duration" field logic and stick that in a macro. But your using two different formats at the end, so that may not be worth it. As always, using a macro would help the readability of your search, but wouldn't help the run-time performance of your search.

That's it. You have quite an impressive search going on and perhaps one or two of these ideas will help keep it more manageable. (BTW, I haven't tested any of these, so I'd only try making one change at a time.)

Best of luck!

Josh
Path Finder

Thanks I missed that in the search, also thanks for the useful tips in reducing the search text 🙂

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...