Splunk Enterprise
Highlighted

Show Data and time as field while basis search

New Member

Application Name ExceptionName Occurances TimeStamp
App1 NPE 1 06:29 00:00:00
App2 SQL 1 07:29 00:00:00

I am able to run and pick the Exception and now want to add timestamp as field it happned..
Please sugget should i go as it occurance or count no within ceritna period of time

0 Karma
Highlighted

Re: Show Data and time as field while basis search

New Member

I have tried this SPlunk Query but not sure why it returns pretty match the same values for X day and hour event it running houly, monthly, etc..

index=myIndex searchExceptipn | rex "for exeception.*" maxmatch=0| bucket span=1h _time | convert timeformat=" %Y-%m-%d %H:%M:%S" ctime(time) AS date | stats count by myIndex, excp, date

Result
Time Interval at 4Pm, 10AM, next day 3PM - result is the same

0 Karma
Highlighted

Re: Show Data and time as field while basis search

New Member

Time Interval at 4Pm, 10AM, next day 3PM - result is the same = 10

Time Interval at 9Pm (20), 5AM (20), next day 1PM (20)- result is the same -- always 20 at given interval

0 Karma
Highlighted

Re: Show Data and time as field while basis search

SplunkTrust
SplunkTrust

Okay, when you are having problems like this, you need to slow down and try one line at a time to see what is happening. We will use the command |head 5 at the start to get only the first 5 results.

Try this first, for a short period of time that there should be at least 5 records....

index=myIndex searchException
| head 5

You should see 5 records that match your criteria. If not, then fix the code until you do.

Next, try this...

| rex "for (?<excp>.*)" max_match=0

That should extract one field excp that contains everything after the first word "for". If not, then adjust the regular expression until it gets the part that you want.

Now add this...

| stats count by excp _time 

This should give you a count of 1 (because we haven't grouped the time yet).

Next, get rid of the head 5 and the stats and add this at the end.

|timestats count span=1h by excp 

Click over to the visualizations page and look at it as a linechart or a bar chart. You should see the errors ebb and flow across the time range. Now replace that last one with this...

| bin _time span=1h
| stats count by _time excp 

Once you've reviewed all that, come back and tell us what you need now. (I figure your real question hasn't really made it to us yet.)

0 Karma
Highlighted

Re: Show Data and time as field while basis search

New Member

I have tried simliar Splunk Query | bin _time span=1h
| stats count by _time excp --

I am getting what i am looking for - i dont need graph timeChart or anyther graphy -- my issue is the result is pretty much the same
like http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Timechart . -- time chart section

0 Karma
Highlighted

Re: Show Data and time as field while basis search

New Member

I have tried this Splunk Query | bin _time span=1h
| stats count by _time excp

I am getting what i am looking for - i dont need graph timeChart or anyther graphy -- my issue is the result is pretty much the same
like http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Timechart . -- time chart section

0 Karma