Solved: problem with lab 9 in fundamentals 1

judoal · ‎04-09-2018

Task 6, #24 asks to "use the stats command average function to find the average time for each database query being run." I've gone through all the preliminary labs without much issue. However for this on, the answer in the lab for this problem is:

  index=main sourcetype=db_audit | stats avg(Duration) as "time to complete" by Command

However, when I run this in my environment (time set to 'all time'), no results are returned. The lab notes indicate that a table should be returned with one column for avg(Duration) and the value below it.

Any suggestions about this problem? Thanks

judoal · ‎04-11-2018

Problem solved. Apparently the sourcetype that I thought had been added was not added properly, even though it was in the sourcetypes list. I deleted the one that was there and added it again. This time the search commands worked for this sourcetype.

View solution in original post

judoal · ‎04-16-2018

I fixed this and commented on it in the thread. But thanks for your reply

niketn · ‎04-16-2018

As per the response from Splunk Education team

"This is data that is downloaded and ingested during the module for lab 4. It is not tied to the DB Connect app. It is a standard Database Audit log output from a Postgres database"

So in case Lab 9 is Task 6 does not work, go back to Lab 4.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

judoal · ‎04-11-2018

Problem solved. Apparently the sourcetype that I thought had been added was not added properly, even though it was in the sourcetypes list. I deleted the one that was there and added it again. This time the search commands worked for this sourcetype.

skoelpin · ‎04-10-2018

Fields are case sensitive so make sure your fields are not capitalized

niketn · ‎04-09-2018

@judoal db_audit seems to be index related with DB Connect app. Refer to previous Splunk Answers question on same issue. You should reach out to education_amer@splunk.com to report that steps for this lab exercise seems incomplete.

Meanwhile if you want to practice average command you can try Splunk's internal indexes like _audit I have used below. Or maybe use Splunk tutorial data based example for avg() statistical function, documented on Splunk Docs.

index="_audit" action=search total_run_time=* savedsearch_name!=""
| stats count max(total_run_time) as maxRunTime min(total_run_time) as minRunTime avg(total_run_time) as avgRunTime by savedsearch_name
| eval avgRunTime=round(avgRunTime,2)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

p_gurav · ‎04-09-2018

Is the event containDuration field in you environment logs?

mayurr98 · ‎04-09-2018

Well, check the syntax and run the query step by step.
Try running
1) index=main sourcetype=db_audit and see if you are getting events.
2) If yes, then look for Duration and Command field.If No, then look for a correct field for the statistical operation.
3) If you can see one of the fields then try index=main sourcetype=db_audit Command=* and look for the Duration field or vice-versa.

Make sure you run all the above queries in verbose mode in order to troubleshoot.
let me know if this helps!

problem with lab 9 in fundamentals 1

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?

problem with lab 9 in fundamentals 1

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement