Splunk Search

Can you help me with DB/Index app monitoring?

benji00
New Member

Hello community,

My first and probably not the last comment here...as it seems the community is quite active.

I am currently launching an automated task that is by environment generating a log file giving me the difference between my objects in DB and my objects in my indexation.

The file is composed as it is written below:

**TYPE = INDEX_COUNT ; DB_COUNT
CATMpgReference = 26357 ; 374819
VPMReference = 26210 ; 345331**

By environment and type, I want to be able to have a line chart visualization of:

  • DB_COUNT time evolution,
  • DB_COUNT, INDEX_COUNT difference time evolution,
  • DB_COUNT, INDEX_COUNT difference current status,

I used the

 rex field=_raw
 "(?<vtype>.*)\s=\s(?<vindex>.*)\s;\s(?<vmql>.*)"
 | dedup vtype

syntax to isolate the data, but I am unable to pass the visualization step.

Any help please?

0 Karma
1 Solution

tiagofbmm
Influencer

Use Chart and then trellis splitted by TYPE like I show below

| makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=26357, DB_COUNT=374819, _time=relative_time(now(),"-1d") 
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-2d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-3d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-4d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-5d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-6d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-7d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-22d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-23d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-24d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-25d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-26d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-27d") ]
| chart values(INDEX_COUNT) as INDEX_COUNT, values(DB_COUNT) as DB_COUNT by _time, TYPE

alt text

View solution in original post

0 Karma

tiagofbmm
Influencer

Use Chart and then trellis splitted by TYPE like I show below

| makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=26357, DB_COUNT=374819, _time=relative_time(now(),"-1d") 
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-2d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-3d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-4d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-5d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-6d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-7d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-22d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-23d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-24d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-25d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-26d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-27d") ]
| chart values(INDEX_COUNT) as INDEX_COUNT, values(DB_COUNT) as DB_COUNT by _time, TYPE

alt text

0 Karma

benji00
New Member

Hello,
Thanks for you feedback and sorry for my no-answer.
Your request is not so clear to me.

Each morning I am running a DB script which will generate a log file containing in txt format, following information:
TYPE;INDEX_COUNT;DB_COUNT
Each day and for each type of course the counts will change.
I want to be able to track the count evolution by type and by time.
But I don't want to fill in myself the figures in a query as shown above. I want a Splunk query able to extract those figures by itself.

Thanks,Hello,
Thanks very much for your answer and sorry but I tried to understand it and finally was worried by another topics.
Anyway, what I don't understand in your answer is that the values are, let's say, hardcoded.

From my side, each morning I will run a DB query which will generate a log file. This log file will contain the sample explained below:
TYPE = INDEX_COUNT ; DB_COUNT
CATMpgReference = 26357 ; 374819
VPMReference = 26210 ; 345331

But those values will change each day and my objective is to generate directly a chart showing this evolution, but without filling myself the values in a query as given above. I will try it again.
Thanks

0 Karma

tiagofbmm
Influencer

@benji00 please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further

0 Karma

benji00
New Member

Hello,
Thanks for you feedback and sorry for my no-answer.
Your request is not so clear to me.

Each morning I am running a DB script which will generate a log file containing in txt format, following information:
TYPE;INDEX_COUNT;DB_COUNT
Each day and for each type of course the counts will change.
I want to be able to track the count evolution by type and by time.
But I don't want to fill in myself the figures in a query as shown above. I want a Splunk query able to extract those figures by itself.

Thanks

0 Karma

tiagofbmm
Influencer

The query below is a mock up because nobody has access to your data. It builds your data and then adds the statistics I believe is what you wanted there

0 Karma

benji00
New Member

@tiagofbmm: Finally i succeeded to do this yesterday:
rex field=_raw "(?.)\s=\s(?.)\s;\s(?.*)" | timechart eval(sum(vmql)-sum(vindex)) by vtype

It is quite good but now I would like to add a filter in my query to say:
if
sum(vmql)-sum(vindex) >= 0
then
don't show the results

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...