Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with DB/Index app monitoring?

benji00
New Member
‎02-26-2019 02:44 AM

Hello community,

My first and probably not the last comment here...as it seems the community is quite active.

I am currently launching an automated task that is by environment generating a log file giving me the difference between my objects in DB and my objects in my indexation.

The file is composed as it is written below:

**TYPE = INDEX_COUNT ; DB_COUNT
CATMpgReference = 26357 ; 374819
VPMReference = 26210 ; 345331**

By environment and type, I want to be able to have a line chart visualization of:

  • DB_COUNT time evolution,
  • DB_COUNT, INDEX_COUNT difference time evolution,
  • DB_COUNT, INDEX_COUNT difference current status,

I used the 

 rex field=_raw
 "(?<vtype>.*)\s=\s(?<vindex>.*)\s;\s(?<vmql>.*)"
 | dedup vtype

syntax to isolate the data, but I am unable to pass the visualization step.

Any help please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎02-26-2019 08:02 AM

Use Chart and then trellis splitted by TYPE like I show below

| makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=26357, DB_COUNT=374819, _time=relative_time(now(),"-1d") 
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-2d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-3d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-4d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-5d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-6d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-7d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-22d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-23d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-24d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-25d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-26d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-27d") ]
| chart values(INDEX_COUNT) as INDEX_COUNT, values(DB_COUNT) as DB_COUNT by _time, TYPE

alt text

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎02-26-2019 08:02 AM

Use Chart and then trellis splitted by TYPE like I show below

| makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=26357, DB_COUNT=374819, _time=relative_time(now(),"-1d") 
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-2d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-3d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-4d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-5d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-6d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-7d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=222, DB_COUNT=123123, _time=relative_time(now(),"-22d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=12312, DB_COUNT=3123, _time=relative_time(now(),"-23d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=654, DB_COUNT=33, _time=relative_time(now(),"-24d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=67, COUNT=231231, _time=relative_time(now(),"-25d") ]
| append [ | makeresults
| eval TYPE="CATMpgReference", "INDEX_COUNT"=88, DB_COUNT=1555, _time=relative_time(now(),"-26d") ]
| append [ | makeresults
| eval TYPE="VPMReference", "INDEX_COUNT"=4574567, DB_COUNT=2452345, _time=relative_time(now(),"-27d") ]
| chart values(INDEX_COUNT) as INDEX_COUNT, values(DB_COUNT) as DB_COUNT by _time, TYPE

alt text

0 Karma
Reply
Solved! Jump to solution

benji00
New Member
‎03-01-2019 04:56 AM

Hello,
Thanks for you feedback and sorry for my no-answer.
Your request is not so clear to me.

Each morning I am running a DB script which will generate a log file containing in txt format, following information:
TYPE;INDEX_COUNT;DB_COUNT
Each day and for each type of course the counts will change.
I want to be able to track the count evolution by type and by time.
But I don't want to fill in myself the figures in a query as shown above. I want a Splunk query able to extract those figures by itself.

Thanks,Hello,
Thanks very much for your answer and sorry but I tried to understand it and finally was worried by another topics.
Anyway, what I don't understand in your answer is that the values are, let's say, hardcoded.

From my side, each morning I will run a DB query which will generate a log file. This log file will contain the sample explained below:
TYPE = INDEX_COUNT ; DB_COUNT
CATMpgReference = 26357 ; 374819
VPMReference = 26210 ; 345331

But those values will change each day and my objective is to generate directly a chart showing this evolution, but without filling myself the values in a query as given above. I will try it again.
Thanks

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-01-2019 03:09 AM

@benji00 please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further

0 Karma
Reply
Solved! Jump to solution

benji00
New Member
‎03-01-2019 04:57 AM

Hello,
Thanks for you feedback and sorry for my no-answer.
Your request is not so clear to me.

Each morning I am running a DB script which will generate a log file containing in txt format, following information:
TYPE;INDEX_COUNT;DB_COUNT
Each day and for each type of course the counts will change.
I want to be able to track the count evolution by type and by time.
But I don't want to fill in myself the figures in a query as shown above. I want a Splunk query able to extract those figures by itself.

Thanks

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-01-2019 05:28 AM

The query below is a mock up because nobody has access to your data. It builds your data and then adds the statistics I believe is what you wanted there

0 Karma
Reply
Solved! Jump to solution

benji00
New Member
‎03-01-2019 05:02 AM

@tiagofbmm: Finally i succeeded to do this yesterday:
rex field=_raw "(?.)\s=\s(?.)\s;\s(?.*)" | timechart eval(sum(vmql)-sum(vindex)) by vtype

It is quite good but now I would like to add a filter in my query to say:
if
sum(vmql)-sum(vindex) >= 0
then
don't show the results

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...