All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Did you mean that the response codes are all 200 but take more than 10 seconds? If so, what do you want to do if there are non-200 responses? Please clarify your requirement
Hi All, I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.H... See more...
Hi All, I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.How to check this not null or something else.   |eval FileList=coalesce(File1,File2)
Would something like this work for you? | table _time, OrderReference, TransactionReference, Type, Amount, Currency, OrderStatus | stats latest(*) as * by OrderReference TransactionReference Full r... See more...
Would something like this work for you? | table _time, OrderReference, TransactionReference, Type, Amount, Currency, OrderStatus | stats latest(*) as * by OrderReference TransactionReference Full runanywhere example based on your events | makeresults format=json data="[{\"Level\":\"Information\",\"MessageTemplate\":\"Created a new transaction\",\"RenderedMessage\":\"Created a new transaction\",\"Properties\":{\"SourceContext\":\"ApiGateway.Controllers.OrdersController\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"TransactionType\":\"Transfer\",\"Amount\":901,\"Currency\":\"SEK\",\"ExecutionDate\":\"2023-11-15T14:32:00.0000000+02:00\",\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"ActionId\":\"9a240462-d4c7-485e-a974-8229f2520c6c\",\"ActionName\":\"ApiGateway.Controllers.OrdersController.PostOrder (ApiGateway)\",\"RequestId\":\"0HN34CGT9KPCS:00000004\",\"RequestPath\":\"/orders\",\"ConnectionId\":\"0HN34CGT9KPCS\",\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Created a new transaction\",\"RenderedMessage\":\"Created a new transaction\",\"Properties\":{\"SourceContext\":\"ApiGateway.Controllers.OrdersController\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"TransactionType\":\"Transfer\",\"Amount\":567,\"Currency\":\"SEK\",\"ExecutionDate\":\"2023-11-15T14:32:00.0000000+02:00\",\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"ActionId\":\"9a240462-d4c7-485e-a974-8229f2520c6c\",\"ActionName\":\"ApiGateway.Controllers.OrdersController.PostOrder (ApiGateway)\",\"RequestId\":\"0HN34CGT9KPCS:00000004\",\"RequestPath\":\"/orders\",\"ConnectionId\":\"0HN34CGT9KPCS\",\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Created a new transaction\",\"RenderedMessage\":\"Created a new transaction\",\"Properties\":{\"SourceContext\":\"ApiGateway.Controllers.OrdersController\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"TransactionType\":\"Transfer\",\"Amount\":234,\"Currency\":\"SEK\",\"ExecutionDate\":\"2023-11-15T14:32:00.0000000+02:00\",\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"ActionId\":\"9a240462-d4c7-485e-a974-8229f2520c6c\",\"ActionName\":\"ApiGateway.Controllers.OrdersController.PostOrder (ApiGateway)\",\"RequestId\":\"0HN34CGT9KPCS:00000004\",\"RequestPath\":\"/orders\",\"ConnectionId\":\"0HN34CGT9KPCS\",\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK234.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"Complete\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK901.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"Complete\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK567.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"Complete\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK234.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"InProgress\",\"Messages\":[],\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK901.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"InProgress\",\"Messages\":[],\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK567.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"InProgress\",\"Messages\":[],\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"TransactionStatus\":\"Registered\",\"OrderStatus\":\"Registered\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"JobType\":\"OrderStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"TransactionStatus\":\"Registered\",\"OrderStatus\":\"Registered\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"JobType\":\"OrderStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"TransactionStatus\":\"Registered\",\"OrderStatus\":\"Registered\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"JobType\":\"OrderStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}]" | fields _raw | spath Properties | spath input=Properties | table _time, OrderReference, TransactionReference, Type, Amount, Currency, OrderStatus | stats latest(*) as * by OrderReference TransactionReference
Right, it doesn't extract the fields but the data is available. Using JSON functions possibly the data can be queries but that is cumbersome.
Hi @roywan, the only way is to open a non technical ticket to Splunk Support, no other way. Ciao. Giuseppe
OK. Regardless of join or not, your search is pretty bad performance-wise due to how it's initial part in the first place. You're doing <initial_search> | spath [...] | where <some_condition> Un... See more...
OK. Regardless of join or not, your search is pretty bad performance-wise due to how it's initial part in the first place. You're doing <initial_search> | spath [...] | where <some_condition> Unfortunately, it's gonna have to read and parse every single event from the given time range which is not what you want. What is a bit tricky when approaching Splunk for the first time is that due to the fact that you're dealing with so called "schema on read" approach, Splunk - first and foremost - indexes values. So if you have a search saying field=value Splunk first searches for all events containing the value and only those events are then checked if they do contain that value in places corresponding with the definition of field. The more conditions you have in your initial search, the more events Splunk can discard from the initial result set (due to them containing, for example, just one of two sought for terms) so that ideally the "hit ratio" is quite high and Splunk doesn't have to work too much at parsing those intermediate search results. Your search on the other hand invokes the spath command on every single event that falls within the time range and only then it checks the results for some condition using the where command. If your events were well-formed json events, you could have the sourcetype defined with KV_MODE=json and use field=value matching based on json fields. But even if you don't have the fields parsed automatically at the point of your initial search, you can greatly improve your search performance by adding the conditions as a "full-text search". So your index="my_index" | spath input=Properties | where RenderedMessage="Created a new transaction" AND 'Properties.OrderReference'="289e272f-2677-409b-9576-f28b2763c658" AND 'Properties.EnvironmentName'="Development" can be rewritten (yes, it looks a bit ugly but should be a lot faster) as index="my_index" "Created a new transaction" "289e272f-2677-409b-9576-f28b2763c658" "Development" | spath input=Properties | where RenderedMessage="Created a new transaction" AND 'Properties.OrderReference'="289e272f-2677-409b-9576-f28b2763c658" AND 'Properties.EnvironmentName'="Development"
I mean three consecutive respaces 2000.
I've added events for the two searches I would like to use, thanks
Try something like this | eval successtime=if(status=200,_time,null()) | streamstats range(successtime) as successrange count(successtime) as successcount window=3 by status global=f | where success... See more...
Try something like this | eval successtime=if(status=200,_time,null()) | streamstats range(successtime) as successrange count(successtime) as successcount window=3 by status global=f | where successcount=3 and successrange > 10
Thank you its working
I'm currently building my own home instance and I'm having some trouble with my UF.   So far I've : installed the latest / correct version for my Ubuntu - Linux system sudo chown -RP splunk:splun... See more...
I'm currently building my own home instance and I'm having some trouble with my UF.   So far I've : installed the latest / correct version for my Ubuntu - Linux system sudo chown -RP splunk:splunk /opt/splunkforwarder/ searched through SplunkForwarder.service to see if the correct user is applied (which it is) tried re-installing and running   ./splunk enable boot-start​ as splunk user, and as root.   When using the splunk user, I have to authenticate as root anyway but i get the same results for both   ./splunk start   results in "Done" after authentication   ./splunk status   results in: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk:splunkfwd /opt/splunkforwarder" Couldn't change ownership for /opt/splunkforwarder/etc : Operation not permitted splunkd is not running.   ./splunk enable boot-start   results in: " A systemd unit file already exists at path ="/etc/systemd/system/SplunkForwarder.service". To add a Splunk generated systemd unit file, run 'splunk disable boot-start' before running this command. If there are custom settings that have been added to the unit file, create a backup copy first. It seems no matter which account I use or which user has permissions, I'm unable to have access to any of the files under "/opt/splunkforwarder" nor am I able to start the UF itself or configure boot-start.
Thanks for your reply on this. We were seeing JSON array, which Splunk failed to recognize and make it searchable. We were using Lambda for transformation and one change to Firehose configuration fr... See more...
Thanks for your reply on this. We were seeing JSON array, which Splunk failed to recognize and make it searchable. We were using Lambda for transformation and one change to Firehose configuration from "Raw" to "Event" for the field "Splunk End Point" helped resolve the issue.  Also, I change the source type "aws:cloudwatch" to based on the tests written for lambda. https://github.com/splunk/splunk-aws-cloudwatch-streaming-metrics-processor/blob/main/SplunkAWSCloudWatchStreamingMetricsProcessor/test_lambda_function.py  It will be good if the documentation - Source types for the Splunk Add-on for AWS - Splunk Documentation also can be updated to say the source type "aws:cloudwatch" to be used if Lambda function - splunk-aws-cloudwatch-streaming-metrics-processor is used for streaming. This request can be closed with above comments. 
| where count >= 10 AND count <=19 Then trigger your alert if there are any results
Where doesn't support wildcards in this way, try using search instead of where
Hello everyone, I am looking for a Splunk search query to get the duration time of three sequential response code 200. It is not about average time or duration of one message but if three Success me... See more...
Hello everyone, I am looking for a Splunk search query to get the duration time of three sequential response code 200. It is not about average time or duration of one message but if three Success message responses taken totally more than 10 seconds. Thanks in advance.
Technically, yes it is possible (probably), but it is not simple. Visualisations work on series i.e. all points / bars from the same series are shown in the same colour, so what you could do is dupli... See more...
Technically, yes it is possible (probably), but it is not simple. Visualisations work on series i.e. all points / bars from the same series are shown in the same colour, so what you could do is duplicate the incoming series and in one copy of the series set the value to zero if the out going count is create than zero and in the other series set the value to zero if the outgoing count is zero. Using random generated values, this demonstrates what I mean | gentimes start=-1 increment=1h | rename starttime as _time | fields _time | eval incoming=random()%10 | eval outgoing=random()%10 | eval unprocessed = if(outgoing > 0, 0, incoming) | eval incoming = if(outgoing > 0, incoming, 0)  
Hi  Sorry, I want to create an input (free text) on the field "JOBNAME" which is extracted via rex.  Is it possible?  Below input is working fine when I put a job name in the free_text input bu... See more...
Hi  Sorry, I want to create an input (free text) on the field "JOBNAME" which is extracted via rex.  Is it possible?  Below input is working fine when I put a job name in the free_text input but when i give nothing or * in the  free_text input , it gives me no result.    <input type="text" token="free_text" searchWhenChanged="true"> <label>Free_Text</label> <default>*</default> <prefix>| where JOBNAME = "</prefix> <suffix>"</suffix> <initialValue>*</initialValue> </input>   Any way to create an input filter as a free text for the field JOBNAME ??  I am using Free text input because there are more than 500 jobs and in the dropdown it does not look good. 
Hi Team, I am trying to setup an alert if the count of errors are in range of  between 10 to19(more then 10 and less than 19).  for example: index=abc sourcetype=xyz "errors" only if count ... See more...
Hi Team, I am trying to setup an alert if the count of errors are in range of  between 10 to19(more then 10 and less than 19).  for example: index=abc sourcetype=xyz "errors" only if count >= 10 AND count <=19, should only trigger alert. please help thank you
I really need splunk to update my name. I have raised ticket twice and both time I was told 'it's not their job and please visit splunk support page', which ends up in an infinite loop. For context ... See more...
I really need splunk to update my name. I have raised ticket twice and both time I was told 'it's not their job and please visit splunk support page', which ends up in an infinite loop. For context I recently changed my offical name, e.g. name on my passport. Without updating it in my splunk profiles I won't be able to take exams as ID's don't match.
Hi  Is it possible to use any graph/visualization to show that in last 30 mins  INCOMING is greater than 0 and OUTGOING = 0 .