Splunk Search

How to generate output/report from unstructured log records in splunk

RS
Engager

Hi,

I have following log data that are in splunk. Below is example data taken from splunk:

2024-02-04T00:15:15.209Z [jfrt ] [INFO ] [64920151065ecdd9] [.s.b.i.GarbageCollectorInfo:81] [cdd9|art-exec-153205] - Storage TRASH_AND_BINARIES garbage collector report:
Total execution time:    15.25 minutes
Candidates for deletion: 4,960
Checksums deleted:       4,582
Binaries deleted:        4,582
host = hostname.com index = XXXXXX1 source = artifactory-servicesourcetype = artifactory-service

How I can display trend/timechart of "Total execution timeusing splunk query group by timestamp and host name for Storage TRASH_AND_BINARIES garbage collector report?

I appreciate any help.

Thanks

Rahul

 

0 Karma

Rahul-Sri
New Member

Hi, In the above query in my dashboard is displaying large numbers. I want to convert those to shorter number with million added to it. For example if the value shows 600,0000 then the result should display 6mil. How I can achieve? I tried using-->

| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|fieldformat count = count/1000000 But this does not work.

Any help is appreciated.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rahul-Sri ,

this is another question and it's always better to open a new case, even if this is the followig step to your request, in this way you'll have surely faster and probably better answers.

Anyway, the approach is to use eval not format command and round the number:

| eval count=round(count/1000000,2)."M"

please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

 

0 Karma

Rahul-Sri
New Member

Hi,

Thanks for quick response. I have tried both the options below:

Option-1

| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|eval status=round(status/1000000,2)."M"

Option-2

| eval status = if(match(status, "20/[0-1]/"), "success(200 and 201)",status)| eval status=case(like(status, "2%"),"200|201",like(status, "5%"),"503")|timechart span=1d@d usenull=false useother=f count(status) by status|eval count=round(count/1000000,2)."M"

But in my graph I dont see any difference. I still see large number instead of shorten number with M appended.

Below is the output

This is the output which still shows large number.This is the output which still shows large number.

 

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rahul-Sri ,

my solution is only for a table because you transform a number in a string.

if you have to display the result in a graph, you can divide by 1000000 and indicate in the subtitle that the numbers are millions or use a logarythmic scale in the graph.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @RS ,

I suppose that the total execution time is always displayed in minutes, otherwise, you have convert it based on the forma, so, please try, something like this:

index = XXXXXX1 host = hostname.com  source = artifactory-servicesourcetype = artifactory-service "Storage TRASH_AND_BINARIES garbage collector report"
| rex "Total\s+execution\s+time:\s+(?<minutes>\d+)\.(?<seconds>\d+)"
| eval Total_execution_time=minutes*60+seconds
| timechart sum(Total_execution_time) AS Total_execution_time BY host

 Ciao.

Giuseppe

0 Karma

RS
Engager

Thanks @gcusello. The given query helped me produce the required timechart.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @RS,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...