Reporting

Pick the value as column and duration value as Row against them date wise

sachdeva_2007
Explorer

Rex field to Pick the value as column and duration value as Row against them. refer the below.

Date And TimeSilinePrimaryAddressSearchInServicingNavExistingAddresses
2/11/1982 1:251.1321.3751.1491.885


XML format

<Transaction Name="Naviline" Time="02/11/1982 01:25:07:223" Duration="9.034" />
<Transaction Name="SePipeline" Time="02/11/1982 01:25:07:899" Duration="0.662" />
<Transaction Name="NdwIncuse" Time="02/11/1982 01:25:09:553" Duration="1.614" />
<Transaction Name="EnterDetails" Time="02/11/1982 01:25:11:532" Duration="1.916" />
<Transaction Name="SIline" Time="02/11/1982 01:25:12:703" Duration="1.132" />
<Transaction Name="GetWindowIn" Time="02/11/1982 01:25:20:748" Duration="7.957" />
<Transaction Name="PrimaryAddress" Time="02/11/1982 01:25:22:154" Duration="1.375" />
<Transaction Name="WindowingTouch" Time="02/11/1982 01:25:51:674" Duration="1.365" />
<Transaction Name="dailysearch" Time="02/11/1982 01:26:01:908" Duration="10.141" />
<Transaction Name="SearchInServicing" Time="02/11/1982 01:26:03:115" Duration="1.149" />
<Transaction Name="NavExistingAddresses" Time="02/11/1982 01:26:05:060" Duration="1.885" />



Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

This is because the transactions have different times - how do you want to group the transactions - by hour? by date? by event (ignoring the datetime)?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
0 Karma

sachdeva_2007
Explorer

no result found, hope you saw the requirement. refer attachment again 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a runanywhere example showing it working (the part before the blank lines sets up sample data in line with your example) - if your events are different in some way, perhaps you can share them

| makeresults 
| eval _raw="<Transaction Name=\"Naviline\" Time=\"02/11/1982 01:25:07:223\" Duration=\"9.034\" />
<Transaction Name=\"SePipeline\" Time=\"02/11/1982 01:25:07:899\" Duration=\"0.662\" />
<Transaction Name=\"NdwIncuse\" Time=\"02/11/1982 01:25:09:553\" Duration=\"1.614\" />
<Transaction Name=\"EnterDetails\" Time=\"02/11/1982 01:25:11:532\" Duration=\"1.916\" />
<Transaction Name=\"SIline\" Time=\"02/11/1982 01:25:12:703\" Duration=\"1.132\" />
<Transaction Name=\"GetWindowIn\" Time=\"02/11/1982 01:25:20:748\" Duration=\"7.957\" />
<Transaction Name=\"PrimaryAddress\" Time=\"02/11/1982 01:25:22:154\" Duration=\"1.375\" />
<Transaction Name=\"WindowingTouch\" Time=\"02/11/1982 01:25:51:674\" Duration=\"1.365\" />
<Transaction Name=\"dailysearch\" Time=\"02/11/1982 01:26:01:908\" Duration=\"10.141\" />
<Transaction Name=\"SearchInServicing\" Time=\"02/11/1982 01:26:03:115\" Duration=\"1.149\" />
<Transaction Name=\"NavExistingAddresses\" Time=\"02/11/1982 01:26:05:060\" Duration=\"1.885\" />"
| multikv noheader=t
| table _raw



| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

 

0 Karma

sachdeva_2007
Explorer

when I run the whole command including raw, it worked for me as well.

but when I run only these commands , it gives me header detail but not any value again them except dates column refer below screenshot

sachdeva_2007_0-1629730596216.jpeg

 

| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<Date>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval Time=strptime(Date, "%d/%m/%Y %H:%M")
| eval {name}='duration'
| fields - name duration
| stats values(*) as * by Date
| fieldformat Time=strftime(Date, "%d/%m/%Y")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

please refer the attached actual data available in splunk.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It always helps to have a more complete picture! Try this

| makeresults 
| eval _raw="<PerformanceReport>
<SearchCustomer>
<Transaction Name=\"Naviline\" Time=\"02/11/1982 01:25:07:223\" Duration=\"9.034\" />
<Transaction Name=\"SePipeline\" Time=\"02/11/1982 01:25:07:899\" Duration=\"0.662\" />
<Transaction Name=\"NdwIncuse\" Time=\"02/11/1982 01:25:09:553\" Duration=\"1.614\" />
<Transaction Name=\"EnterDetails\" Time=\"02/11/1982 01:25:11:532\" Duration=\"1.916\" />
<Transaction Name=\"SIline\" Time=\"02/11/1982 01:25:12:703\" Duration=\"1.132\" />
<Transaction Name=\"GetWindowIn\" Time=\"02/11/1982 01:25:20:748\" Duration=\"7.957\" />
<Transaction Name=\"PrimaryAddress\" Time=\"02/11/1982 01:25:22:154\" Duration=\"1.375\" />
<Transaction Name=\"WindowingTouch\" Time=\"02/11/1982 01:25:51:674\" Duration=\"1.365\" />
<Transaction Name=\"dailysearch\" Time=\"02/11/1982 01:26:01:908\" Duration=\"10.141\" />
<Transaction Name=\"SearchInServicing\" Time=\"02/11/1982 01:26:03:115\" Duration=\"1.149\" />
<Transaction Name=\"NavExistingAddresses\" Time=\"02/11/1982 01:26:05:060\" Duration=\"1.885\" />
</PerformanceReport>
</SearchCustomer>"


| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
| rex field=transaction "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

sachdeva_2007
Explorer

like i said earlier your whole query worked properly but when i run only the below code it's not giving me any output.

refer below screenshot.

sachdeva_2007_0-1629733155889.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try the lines adding one at a time to see at which point you lose the events

0 Karma

sachdeva_2007
Explorer

when I removed below line from the code i'm getting the header detail but no value against them except the date column. also changed time to Date in the code (refer the attachment)

stats values(*) as * by time

 

index=XXXXX
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<Date>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(Date, "%d/%m/%Y")
| eval {name}=duration
| fields - name duration
| fieldformat time=strftime(Date, "%d/%m/%Y")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't appear to have included these lines from my example

| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
0 Karma

sachdeva_2007
Explorer

it's pulling data but it's scattered the values in multiple row. probably it's bez of 

mvexpand transaction

if we can ignore the seconds from the date that would be great.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is the current SPL you are using?

0 Karma

sachdeva_2007
Explorer

the one you shared

| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
| rex field=transaction "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses

it's coming like this way not remove second and furthers too

 

 

 

sachdeva_2007_1-1629813301431.png

 

0 Karma

sachdeva_2007
Explorer

which I  changed the time to Date.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your Date has seconds in whereas my time does not - if you are not prepared to show exactly what you are doing, how do you expect me to be able to find the error?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you are using the search I shared, where is the Date field coming from? Can you share the actual search you are using to get these results?

0 Karma

sachdeva_2007
Explorer

output in two lines ideally it should be in one line only

sachdeva_2007_0-1629817829945.png

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is because the transactions have different times - how do you want to group the transactions - by hour? by date? by event (ignoring the datetime)?

0 Karma

sachdeva_2007
Explorer

by date so that it should be display in one line.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval time=strptime(time,"%d/%m/%Y")
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...