Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can someone help with my Splunk search to find new...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
uagraw01
Contributor
09-30-2022
01:27 AM
Hello Splunkers!!
I have two weeks events week 1 & week 2. Here I need to compare event of Week 1 & Week 2. The highlighted red one is the new event in Week 2. Like wise I have 100 of events in week 1 and week 2. If any new events comes in week 2 I need that result. Please let me know how to approach with this.
| Message | |
| Week 1 | Week 2 |
| Template:account/backToAccount | Template:account/backToAccount |
| "enableEnhancedCheckout" is not defined | "enableEnhancedCheckout" is not defined |
| "product" is not defined |
Below is the query I have created so far :
index="ABC" ("ERROR" OR "EXCEPTION") earliest=-7d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" |rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception_7d= coalesce(Message,Error2,Exception,ErrorM)
| stats count by Error_Exception_7d | sort - count
| appendcols
[ search index="ABC" ("ERROR" OR "EXCEPTION") earliest=-14d latest=-8d
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" |rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception_14d= coalesce(Message,Error2,Exception,ErrorM)
| stats count by Error_Exception_14d | sort - count]
| stats count by Error_Exception_14d Error_Exception_7d
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
Esteemed Legend
09-30-2022
02:07 AM
Hi @uagraw01,
this is a not performat search and there's the limit of 50,000 results in subsearches, please try a different approach using eval and stats dc, something like this:
index="ABC" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)" |rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval week=if(now()-_time<604800,"last week","previous week")
| stats dc(week) AS week_count values(week) AS week by Error_Exception
| eval kind=if(week_count=2,"both weeks",week
| table Error_Exception kindin this way you can configure the filters you like, e.g. new Error_Exception.
I didn't analyzed your regexes and eval that I suppose are correct.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
Esteemed Legend
09-30-2022
02:07 AM
Hi @uagraw01,
this is a not performat search and there's the limit of 50,000 results in subsearches, please try a different approach using eval and stats dc, something like this:
index="ABC" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)" |rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval week=if(now()-_time<604800,"last week","previous week")
| stats dc(week) AS week_count values(week) AS week by Error_Exception
| eval kind=if(week_count=2,"both weeks",week
| table Error_Exception kindin this way you can configure the filters you like, e.g. new Error_Exception.
I didn't analyzed your regexes and eval that I suppose are correct.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
uagraw01
Contributor
09-30-2022
02:48 AM
@gcusello Thanks for your valuable inputs. Let me try and observe.
Get Updates on the Splunk Community!
Enterprise Security Content Updates (ESCU) - New Releases
In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...
Thought Leaders are Validating Your Hard Work and Training Rigor
As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...
.conf23 Registration is Now Open!
Time to toss the .conf-etti 🎉 — .conf23 registration is open!
Join us in Las Vegas July 17-20 for ...
