Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Require help to create query for table

Mrig342
Contributor
‎02-03-2021 03:47 AM

Hi All,

I have the below types of logs in in two different hosts in my index:

HOST= abc

log1: Tue Feb 2 19:07:26 EST 2021 Host Id :19804 Host Name : abcd Host Status : Running App Id :3403927 Label Name : com.abc.mx.xyz Synchronization : In Sync State : Running Number of template version : 48

log2: Tue Feb 2 19:07:26 EST 2021 Host Id :19804 Host Name : wxyz Host Status : Running App Id :27736 Label Name : com.abcde.abcdefgh Synchronization : Out of Sync State : Running Number of template version : 1

HOST= xyz

log1: 2021-02-03 02:12:49.896, APP_NAME="com.abc.mx.xyz", APP_TEMP_NAME="com.abc.mx.xyz-1", APP_TEMP_VER="1.1.5", LASTDEPLOYED="2019-09-24 13:38:05.047", ENV_NAME="ABCEnvironment_MY"

log2: 2021-02-03 02:12:49.896, APP_NAME="com.abcde.abcdefgh", APP_TEMP_NAME="com.abcde.abcdefgh", APP_TEMP_VER="3.1.0.20201126030342320", LASTDEPLOYED="2020-11-27 13:01:49.959", ENV_NAME="ABCEnvironment_AU"

Here want to create a table as below with fields from both the hosts:

App_Name                          Sync_State          Last_Deployed                             Temp_Version

com.abc.mx.xyz                 In Sync                   2019-09-24 13:38:05.047        1.1.5

com.abcde.abcdefgh       Out of Sync          2020-11-27 13:01:49.959         3.1.0.20201126030342320

and so on..

Using the below query I am able to get the table:

index=main host IN(abc,xyz)
| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| stats values(Sync_State) as Sync_State latest(Last_Deployed) as Last_Deployed latest(Temp_Version) as Temp_Version by App_Name
| mvexpand Sync_State
| table App_Name,Sync_State,Last_Deployed,Temp_Version

 

However when I try to minimize the search to a particular environment using the below query the "Sync_State" field goes blank.

index=main host IN(abc,xyz)
| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)"
| search ENV_NAME=BPMEnvironment_SG
| stats values(Sync_State) as Sync_State latest(Last_Deployed) as Last_Deployed latest(Temp_Version) as Temp_Version by App_Name
| mvexpand Sync_State
| table App_Name,Sync_State,Last_Deployed,Temp_Version

Can someone please help me edit the query to fulfill my expectation..

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎02-03-2021 04:24 AM

hi @Mrig342 ,


Fields ENV_NAME and Sync_State are not there in the same log (OR same row after extracting fields).  So when you filter results on the field ENV_NAME, the field Sync_State is gone. Just run without stats command and check.

index=main host IN(abc,xyz)
| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)"
| search ENV_NAME=BPMEnvironment_SG

So, you need to filter the field ENV_NAME after the stats command.

index=main host IN(abc,xyz)
| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)" 
| fields App_Name, Sync_State, Last_Deployed, Temp_Version, ENV_NAME
| stats latest(*) as * by App_Name 
| search ENV_NAME= ABCEnvironment_MY
| table App_Name, Sync_State,Last_Deployed, Temp_Version

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

Mrig342
Contributor
‎02-03-2021 04:59 AM

Hi manjunathmeti,

Thank you for your response..!!

The query is working only for ENV_NAME=ABCEnvironment_MY. While for other environments such as ABCEnvironment_SG,ABCEnvironment_CN,ABCEnvironment_AU etc it shows as no results found.

Please suggest on this..

 

Thank you.

0 Karma
Reply

manjunathmeti
Champion
‎02-03-2021 05:05 AM

Remove | search ENV_NAME="ABCEnvironment_MY" from search query see ifENV_NAME contains other values.

0 Karma
Reply

Mrig342
Contributor
‎02-03-2021 05:10 AM

Yes manjunathmeti,

After removing | search ENV_NAME= ABCEnvironment_MY, I can see the values in ENV_NAME field.

Please suggest.

0 Karma
Reply

manjunathmeti
Champion
‎02-03-2021 05:38 AM

It is working with the sample data you provided, check this query:

| makeresults 
| eval _raw="_raw
Tue Feb 2 19:07:26 EST 2021 Host Id :19804 Host Name : abcd Host Status : Running App Id :3403927 Label Name : com.abc.mx.xyz Synchronization : In Sync State : Running Number of template version : 48
Tue Feb 2 19:07:26 EST 2021 Host Id :19804 Host Name : wxyz Host Status : Running App Id :27736 Label Name : com.abcde.abcdefgh Synchronization : Out of Sync State : Running Number of template version : 1
2021-02-03 02:12:49.896, APP_NAME=\"com.abc.mx.xyz\", APP_TEMP_NAME=\"com.abc.mx.xyz-1\", APP_TEMP_VER=\"1.1.5\", LASTDEPLOYED=\"2019-09-24 13:38:05.047\", ENV_NAME=\"ABCEnvironment_MY\"
2021-02-03 02:12:49.896, APP_NAME=\"com.abcde.abcdefgh\", APP_TEMP_NAME=\"com.abcde.abcdefgh\", APP_TEMP_VER=\"3.1.0.20201126030342320\", LASTDEPLOYED=\"2020-11-27 13:01:49.959\", ENV_NAME=\"ABCEnvironment_AU\"" 
| multikv forceheader=1 
| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)" 
| fields App_Name, Sync_State, Last_Deployed, Temp_Version, ENV_NAME
| stats latest(*) as * by App_Name 
| search ENV_NAME="ABCEnvironment_AU"
| table App_Name, Sync_State,Last_Deployed, Temp_Version, ENV_NAME
Reply

Mrig342
Contributor
‎02-03-2021 05:59 AM

Hi manjunathmeti,

The query works fine for the sample logs that I provided. However I will be having thousands of such logs and it's not possible to add all those logs in the search query with eval command.

Please help me in creating the query to meet my expectations.

Thank you.

NOTE: We have about 7 to 10 application in each environment. We are trying to create a table of the logs from the two hosts which will contain the App_Name,Sync_State,Last_Deployed and Temp_Version for each environment.

0 Karma
Reply

manjunathmeti
Champion
‎02-03-2021 06:10 AM

Then, the below query should work for you:

| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)" 
| fields App_Name, Sync_State, Last_Deployed, Temp_Version, ENV_NAME
| stats values(*) as * by App_Name

 

0 Karma
Reply

Mrig342
Contributor
‎02-03-2021 06:58 AM

Thanks manjunathmeti..!!

But this query didn't work either. I am not getting the output as desired. 

Any other modification would be appreciated..!!

0 Karma
Reply

Mrig342
Contributor
‎02-03-2021 03:52 AM

One correction:

In the query use ABCEnvironment_MY instead of BPMEnvironment_SG

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...