I was in need of a requirement to find the error codes and its occurences windows for a given day to be printed in a table format. For Eg: i was looking for a error code "Z901" in my splunk logs for given day , i would like how many data occurences of these errors i.e. Z901 has seen in that day.
// sample output which i am looking is.
Day Error_Code Occurence's Duration
08-06-2019 Z901 3 00:02:00 - 01:04:05
07:00:00 - 07:24:45
23:45:00 - 23:55:00
I need the output in the above format - can anyone help me please in getting the above format. So from the above format i can clearly i am seeing Z901 errors on the Day i.e. "08-06-2019" for 3 occurences i.e. between the time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00.
I tried using earliest and latest times but getting the output as 00:02:00 - 23:55:00 for the whole day. Need help to print in the above format.
I'm sorry I'm not giving exact solution what you need but this I think will help to gather the information that you need. Instead of a single query, we'll write a dashboard having two panels, see XML code for the part of the dashboard. And I think charts are visually more helpful than tables.
By this what we are trying to achieve is we'll have one panel to show data per day, so by this chart the user will have an idea about the
occurrence of errors on any day. If the user clicks on the chart second panel will show data on that particular day so the user can visualize
time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00 from that chart.
<your base query> | timechart span=1d count. In timerange selection with query give above added timerange picker.
<your base query> | timechart count. In timerange give timerange token. For earliest give token
earliestand for latest time give token
your base query is having all data searching part including filtering mechanism for error code Z901.
Hope this helps!!!
Hi Vastal ...thanks for the effforts..basically I was trying to prepare a query or dashboard to give a tabular view of data the format shown...I would like the occurrences of error code and their time windows for each day .:( using earliest and latest gives me only one window for that day.
yeah...i have used something like this -
<< my search query >> | timechart span=1s count |eval Day=strftime(_time,"%d-%b-%y") | stats first(_time) as first_occurence last(_time) as last_occurence by Day,Error_Code| eval window = first_occurence + "-" + last_occurence | table Day,ErrorCode,Window
But still above one is giving me first and last occurence of error code in a day , which is similar to use earliest(_time) and latest(_time) ...
fingers crossed !!! no more thoughts to crack my requirement getting over my head 😞