Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with the following query?

vrmandadi
Builder
‎02-25-2019 12:28 PM

Hello,

I am trying to calculate the RTT time of a host where the IP is in a different source, and the rtt time is in different source. The common field is a field extraction I have done, which is called ID

Source1 -Has hexa ip

index=abc sourcetype=xyz source=*back* *0x*
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" 
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) 
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"

Source2- has RTT time which is an extracted field

index=msad sourcetype=snmp source=*MAX* 
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"

Sample event source1

SNMPv2-SMI::enterprises."9.9.42.1.3.2.1.8.2135576845.1109857196.1.1" = "0x0a160205"

Sample event source2

SNMPv2-SMI::enterprises."9.9.42.1.3.1.1.11.2020016708.1109857176.1.1.1" = "177"

The common field is the ID in the above event. The value is 1109857196. I want to get the RTT time ,IP and ID field in a table by combining these two sources, whose index and sourcetype are the same.

Thanks,

Vineeth

0 Karma
Reply

Vijeta
Influencer
‎02-25-2019 06:42 PM 
index=abc sourcetype=snmp ((source=*back* *0x* ) OR source=*MAX*)
 | rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
 | rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" 
 | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) 

 | stats values(ip) as ip values(RTT) as RTT by ID
0 Karma
Reply

somesoni2
Revered Legend
‎02-25-2019 12:46 PM

Give this a try

(index=abc sourcetype=xyz source=*back* *0x*) OR (index=msad sourcetype=snmp source=*MAX*)
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" 
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) 
| rex field=_raw "\"(?<RTT>[^\"]+)\"$"
| stats values(ip) as ip values(RTT) as RTT by ID
0 Karma
Reply

vrmandadi
Builder
‎02-25-2019 02:16 PM

Hello @somesoni2

I tried your query but the RTT field is showing blank .Just a small change both the sourcetypes are same but sources are different

0 Karma
Reply

somesoni2
Revered Legend
‎02-25-2019 02:21 PM

In your sample event 2, I'm taking "177" as RTT (which I'm assuming comes at end of the raw data). If that is not correct the you'd have to update the regex (2nd last line) for RTT.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...