Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-18-2024
06:17 AM
OK, is the "Dataframe row :" part really a part of the event or just a header you posted before the actual event. Anyway, it seems like it's a relatively well-formed (unless I'm missing something) j...
See more...
OK, is the "Dataframe row :" part really a part of the event or just a header you posted before the actual event. Anyway, it seems like it's a relatively well-formed (unless I'm missing something) json embedded (and escaped) within another json. Possibly prepended with that "Dataframe row :" header. I'd say just cut the header if applicable, parse the outer json, extract the inner json, split if needed into multiple events, then spath the inner json(s). And don't use regexes to manipulate structured data unless you really can't avoid it.
04-18-2024
06:10 AM
Hi All, I want to extract service name from sourcetype="aws:metadata" and source field. Example : 434531263412:eu-central-1:elasticache_describe_reserved_cache_nodes_offerings I am using thi...
See more...
Hi All, I want to extract service name from sourcetype="aws:metadata" and source field. Example : 434531263412:eu-central-1:elasticache_describe_reserved_cache_nodes_offerings I am using this query : index=* sourcetype=aws:metadata
| eval aws_service=mvindex(split(source,":"),2)
| rex field=aws_service "(?<aws_service>[^_]+)"
| table aws_service source| dedup aws_service Using this I will get result : elasticache. But in case of "434531263412:us-west-2:nat_gateways" its just extracting nat. But it should be gateways. S Similarly in 434531263412:eu-central-1:application_load_balancers, its extracting application. I was thinking if we can check for the keyword and update the value. I want to add this in props.conf file so aws_service field gets created from source. Please can anyone of you help me how can I achieve this ? Regards, PNV
04-18-2024
06:06 AM
If you examine and try to understand the solution I posted, you will see there is a not equals condition on the regex. Perhaps you could have figured out for yourself that you could simply change not...
See more...
If you examine and try to understand the solution I posted, you will see there is a not equals condition on the regex. Perhaps you could have figured out for yourself that you could simply change not equals to equals! | regex Name="NODATA"
04-18-2024
05:59 AM
Hi ITWhisperer, Thank you for your response. But the query which you have provided is eliminating the job name that contains NODATA string, but we only need that job name that contains NODATA strin...
See more...
Hi ITWhisperer, Thank you for your response. But the query which you have provided is eliminating the job name that contains NODATA string, but we only need that job name that contains NODATA string, rest all jobs, we can eliminate. Kindly help us on this. Thank you
04-18-2024
05:59 AM
Wait a second. What does it have to do with any events returned from the index? So far you're only operating on the data from the lookup. Also, unless for displaying (but even then it's... a disputa...
See more...
Wait a second. What does it have to do with any events returned from the index? So far you're only operating on the data from the lookup. Also, unless for displaying (but even then it's... a disputable practice), you don't want to merge values into multivalued fields this way. You'll effectively get two multivalued fields with no connection between them whatsoever. So if you wanted to sort one of them (for example to list passed exams before failed ones or vice-versa) you can't reorder the other field the same way. They are just two separate fields with multivalued contents but there is no relationship between those contents. (and should any of those values prove to be empty, the whole field will "squash" so you will not have any spaces between values).
04-18-2024
05:15 AM
You are on the right lines with streamstats - please share some sample anonymised event for us to work with to find you a solution.
04-18-2024
05:14 AM
Try something like this: <your search> ...
| eval exam_result=mvzip(ExamID, Status, "~")
| fields - ExamID Status
| mvexpand exam_result
| eval ExamID=mvindex(split(exam_result, "~"), 0), Status...
See more...
Try something like this: <your search> ...
| eval exam_result=mvzip(ExamID, Status, "~")
| fields - ExamID Status
| mvexpand exam_result
| eval ExamID=mvindex(split(exam_result, "~"), 0), Status=mvindex(split(exam_result, "~"), 1)
| eval extra_status = if(ExamID>=120 AND ExamID<=125 AND match(Status, "Pass"), "GOOD", null())
04-18-2024
05:13 AM
You could try extracting each job as a complete event, before extracting the individual fields. You can then filter out the jobs you don't want (btw, your regex seems to have way too many backslashes...
See more...
You could try extracting each job as a complete event, before extracting the individual fields. You can then filter out the jobs you don't want (btw, your regex seems to have way too many backslashes, but you may need them if your actual data is different to the example you shared) | rex max_match=0 "(?<job>\\\\\"jobname\\\\\":\s*\\\\\"[^\\\]+.*?\\\\\"status\\\\\":\s*\\\\\"ENDED OK.*?Timestamp\\\\\": \\\\\"\d+\s*\d+\:\d+\:\d+.*?execution_time_in_seconds\\\\\": \\\\\"[\d\.\-]+)"
| mvexpand job
| rex field=job "\\\\\"jobname\\\\\":\s*\\\\\"(?<Name>[^\\\]+).*?\\\\\"status\\\\\":\s*\\\\\"(?<State>ENDED OK).*?Timestamp\\\\\": \\\\\"(?<TIME>\d+\s*\d+\:\d+\:\d+).*?execution_time_in_seconds\\\\\": \\\\\"(?<EXECUTION_TIME>[\d\.\-]+)"
| regex Name!="NODATA"
| table TIME Name State EXECUTION_TIME
04-18-2024
05:03 AM
I can find my DBConnect input inside the "/app/splunk/var/log/splunk/splunk_app_db_connect_job_metrics.log" log. It pretty much runs a "Select * from a table" every 4 hours and sends the results to ...
See more...
I can find my DBConnect input inside the "/app/splunk/var/log/splunk/splunk_app_db_connect_job_metrics.log" log. It pretty much runs a "Select * from a table" every 4 hours and sends the results to an index. It always runs to completion with a "status=COMPLETED" but at times it finishes with an 'error_count > 0' and we notice that we don't get those log events added to the index for that run. Where can I see that these errors are and why are they generated?
Labels
- Labels:
-
troubleshooting
04-18-2024
04:56 AM
1 Karma
"Your Splunk license expired". Does it ring a bell?
04-18-2024
04:52 AM
@dtburrows3 @gcusello @PickleRick @ITWhisperer - Kindly help
04-18-2024
04:51 AM
I need to do this for multivalues which is not working.
04-18-2024
04:49 AM
@deepakc Thank you for reply. _raw data is not static it going to change every minute. could u pls let know how to use "eval" for data which going to be changed.
04-18-2024
04:44 AM
Try this
| inputlookup userinfo
| eval fourth_result=if(ExamID>=120 AND ExamID<=125,"GOOD","OTHER")
04-18-2024
04:20 AM
Greetings, I have just started using splunk and I was trying to montior logs from my files section, And I am getting the following errors while doing so, help me. I am using heavy forwarder for this....
See more...
Greetings, I have just started using splunk and I was trying to montior logs from my files section, And I am getting the following errors while doing so, help me. I am using heavy forwarder for this. I have added my forwarder port to 192.168.196.51:9997 and also made reciever on port 9997. I dont know where I am making mistake. Please help me with this. Thanks and Regards.
Labels
- Labels:
-
heavy forwarder
04-18-2024
04:13 AM
This is an example using makeresults and rex
| makeresults
| eval _raw="Test1=101,Test2=102,Test3=103,Test4=104,Test5=105,Test6=106,Test7=107,Test8=108,Test9=109,Test101=110"
| makemv _raw delim=",...
See more...
This is an example using makeresults and rex
| makeresults
| eval _raw="Test1=101,Test2=102,Test3=103,Test4=104,Test5=105,Test6=106,Test7=107,Test8=108,Test9=109,Test101=110"
| makemv _raw delim=","
| rex field=_raw "(?<field>Test7)=(?<value>\d+)"
| table field value
04-18-2024
04:10 AM
Sample "testput.log" file as below: 240418 06:44:53 3543 testput1: ---> TRN: 133c0119a15e407595cd46c89216ca101 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:53 3543 te...
See more...
Sample "testput.log" file as below: 240418 06:44:53 3543 testput1: ---> TRN: 133c0119a15e407595cd46c89216ca101 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:53 3543 testput1: <=== TRN@Al10: 133c0119a15e407595cd46c89216ca101 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:44:52 3543 testput1: ---> TRN: b247073ae24443d79be3360de4c1bfec1 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:52 3543 testput1: <=== TRN@Al5: b247073ae24443d79be3360de4c1bfec1 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:44:52 3543 testput1: ---> TRN: f3cf7266d2ad4fa6bf86412441c374991 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:52 3543 testput1: <=== TRN@Al10: f3cf7266d2ad4fa6bf86412441c374991 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:44:52 3543 testput1: ---> TRN: d7de4351d94040a995eb373fe834a0371 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:52 3543 testput1: <=== TRN@Al13: d7de4351d94040a995eb373fe834a0371 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:44:50 3543 testput1: ---> TRN: c36d67d7af5f45f28afe0af2a80c6ea61 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:50 3543 testput1: <=== TRN@Al9: c36d67d7af5f45f28afe0af2a80c6ea61 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:43:31 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00002-DREn00001A> . Out Status = < >
240418 06:43:31 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00002-DREn00001A> . In Status = <P>
240418 06:43:31 3543 testput1: ---> TRN: UVW024041800194GN00002-DREn00001A - MP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:43:31 3543 testput1: <=== TRN@mmicntl: UVW024041800194GN00002-DREn00001A - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:41:25 3543 testput1: ---> TRN: fbccac1e49bf41b9a66ac87c2e9976691 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:41:25 3543 testput1: <=== TRN@Al9: fbccac1e49bf41b9a66ac87c2e9976691 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00013 - MP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:59 3543 testput1: SendResponseToHost : Sending response to the Host
240418 06:39:59 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00013-DREn0000cA> . Out Status = <P>
240418 06:39:59 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00013-DREn0000cA> . In Status = <H>
240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00013-DREn0000cA - AH sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:59 3543 testput1: <=== TRN@Al9: UVW024041800194GN00013-DREn0000cA - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00007-DREn00006A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:59 3543 testput1: <=== TRN@Al7: UVW024041800194GN00007-DREn00006A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00010-DREn00009A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:59 3543 testput1: <=== TRN@Al4: UVW024041800194GN00010-DREn00009A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00008-DREn00007A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al3: UVW024041800194GN00008-DREn00007A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00006-DREn00005A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al1: UVW024041800194GN00006-DREn00005A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00011-DREn0000aA - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al11: UVW024041800194GN00011-DREn0000aA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00002-DREn00001A> . Out Status = <O>
240418 06:39:58 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00002-DREn00001A> . In Status = <H>
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00002-DREn00001A - AH sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al10: UVW024041800194GN00002-DREn00001A - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00012-DREn0000bA - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al8: UVW024041800194GN00012-DREn0000bA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00003-DREn00002A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al14: UVW024041800194GN00003-DREn00002A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00001 - MP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: SendResponseToHost : Sending response to the Host
240418 06:39:58 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00001-DREn00000A> . Out Status = <P>
240418 06:39:58 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00001-DREn00000A> . In Status = <H>
240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00001-DREn00000A - AH sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:39:58 3543 testput1: <=== TRN@Al13: UVW024041800194GN00001-DREn00000A - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:46 3543 testput1: <=== TRN@Al8: 34e4c77406e647d29859a7c3e0077cab1 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:46 3543 testput1: ---> TRN: 34e4c77406e647d29859a7c3e0077cab1 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:37:40 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <MNCDBC2024041804991213-DREg0000aA> . Out Status = < >
240418 06:37:40 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <MNCDBC2024041804991213-DREg0000aA> . In Status = <P>
240418 06:37:40 3543 testput1: ---> TRN: MNCDBC2024041804991213-DREg0000aA - MP sent to [TEST.SND.TO.CPC@QM.PQRS103].
240418 06:37:40 3543 testput1: <=== TRN@mmicntl: MNCDBC2024041804991213-DREg0000aA - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:28 3543 testput1: ---> TRN: 17bd221de8f14fd09439fc2bb9564bed1 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102].
240418 06:37:28 3543 testput1: <=== TRN@Al9: 17bd221de8f14fd09439fc2bb9564bed1 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:23 3543 testput1: <=== TRN@mmicntl: CLG024041800098GN00001-DREh00023A - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:23 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <CLG024041800098GN00001-DREh00023A> . Out Status = < >
240418 06:37:23 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <CLG024041800098GN00001-DREh00023A> . In Status = <P>
240418 06:37:23 3543 testput1: ---> TRN: CLG024041800098GN00001-DREh00023A - MP sent to [TEST.SND.TO.CLH@QM.PQRS103].
240418 06:37:17 3543 testput1: ---> TRN: MNO24041800065GS00077-DREl0004cA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:17 3543 testput1: <=== TRN@Al2: MNO24041800065GS00077-DREl0004cA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:17 3543 testput1: ---> TRN: MNO24041800065GS00079-DREl0004eA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:17 3543 testput1: <=== TRN@Al5: MNO24041800065GS00079-DREl0004eA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:16 3543 testput1: ---> TRN: MNO24041800065GS00081-DREl00050A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:16 3543 testput1: <=== TRN@Al1: MNO24041800065GS00081-DREl00050A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:16 3543 testput1: ---> TRN: MNO24041800065GS00075-DREl0004aA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:15 3543 testput1: <=== TRN@Al1: MNO24041800065GS00064-DREl0003fA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00063-DREl0003eA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:15 3543 testput1: <=== TRN@Al13: MNO24041800065GS00063-DREl0003eA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00066-DREl00041A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:15 3543 testput1: <=== TRN@Al3: MNO24041800065GS00066-DREl00041A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00058-DREl00039A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:15 3543 testput1: <=== TRN@Al2: MNO24041800065GS00058-DREl00039A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00061-DREl0003cA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:15 3543 testput1: <=== TRN@Al12: MNO24041800065GS00061-DREl0003cA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:12 3543 testput1: <=== TRN@Al4: MNO24041800065GS00035-DREl00022A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00033-DREl00020A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:12 3543 testput1: <=== TRN@Al5: MNO24041800065GS00033-DREl00020A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00039-DREl00026A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:12 3543 testput1: <=== TRN@Al3: MNO24041800065GS00039-DREl00026A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00044-DREl0002bA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:12 3543 testput1: <=== TRN@Al14: MNO24041800065GS00044-DREl0002bA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00038-DREl00025A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:12 3543 testput1: <=== TRN@Al1: MNO24041800065GS00038-DREl00025A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00036-DREl00023A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al9: MNO24041800065GS00026-DREl00019A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00019-DREl00012A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al1: MNO24041800065GS00019-DREl00012A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00025-DREl00018A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al5: MNO24041800065GS00025-DREl00018A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00016-DREl0000fA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al4: MNO24041800065GS00016-DREl0000fA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: vlog: Current log size is 3497994 bytes
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00024-DREl00017A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al3: MNO24041800065GS00024-DREl00017A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00017-DREl00010A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al12: MNO24041800065GS00017-DREl00010A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00022-DREl00015A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al13: MNO24041800065GS00022-DREl00015A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00023 - MP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: SendResponseToHost : Sending response to the Host
240418 06:37:11 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <MNO24041800065GS00023-DREl00016A> . Out Status = <P>
240418 06:37:11 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <MNO24041800065GS00023-DREl00016A> . In Status = <H>
240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00023-DREl00016A - AH sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:11 3543 testput1: <=== TRN@Al10: MNO24041800065GS00023-DREl00016A - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:09 3543 testput1: ---> TRN: MNO24041800065GS00007-DREl00006A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:09 3543 testput1: <=== TRN@Al14: MNO24041800065GS00007-DREl00006A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:09 3543 testput1: ---> TRN: MNO24041800065GS00004-DREl00003A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:37:09 3543 testput1: <=== TRN@Al8: MNO24041800065GS00004-DREl00003A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
240418 06:37:09 3543 testput1: ---> TRN: MNO24041800065GS00001-DREl00000A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103].
240418 06:35:10 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800193GN00003-DREh0002dA> . Out Status = < >
240418 06:35:10 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800193GN00003-DREh0002dA> . In Status = <P>
240418 06:35:10 3543 testput1: ---> TRN: UVW024041800193GN00003-DREh0002dA - MP sent to [TEST.SND.TO.PQR@QM.PQRS103].
240418 06:35:10 3543 testput1: <=== TRN@mmicntl: UVW024041800193GN00003-DREh0002dA - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.
04-18-2024
04:09 AM
Hi try using kvform (https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Kvform ) Ciao. Giuseppe
04-18-2024
04:08 AM
Refer below sample log file - there are 2 log files "testget.log" & "testput.log" Sample "testget.log" file as below: 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: 133c0119a15e4075...
See more...
Refer below sample log file - there are 2 log files "testget.log" & "testput.log" Sample "testget.log" file as below: 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: 133c0119a15e407595cd46c89216ca101 [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:44:51 37787 testget1: <--- TRN: 133c0119a15e407595cd46c89216ca101 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: b247073ae24443d79be3360de4c1bfec1 [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: f3cf7266d2ad4fa6bf86412441c374991 [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:44:51 37787 testget1: <--- TRN: b247073ae24443d79be3360de4c1bfec1 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:51 37787 testget1: <--- TRN: f3cf7266d2ad4fa6bf86412441c374991 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: d7de4351d94040a995eb373fe834a0371 [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:44:50 37787 testget1: <--- TRN: d7de4351d94040a995eb373fe834a0371 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:44:49 37787 testget1: ===> TRN@instance_abc.RQ1: c36d67d7af5f45f28afe0af2a80c6ea61 [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:44:49 37787 testget1: <--- TRN: c36d67d7af5f45f28afe0af2a80c6ea61 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:41:24 37787 testget1: ===> TRN@instance_abc.RQ1: fbccac1e49bf41b9a66ac87c2e9976691 [Priority=Medium,ScanPriority=4, Rule: LOC=HK2; Cur=USD; Amt≥0; Srv=ALL; Recv@1565936557:00 00-00-0000].
240418 06:41:24 37787 testget1: <--- TRN: fbccac1e49bf41b9a66ac87c2e9976691 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00013-DREn0000cA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00012-DREn0000bA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00011-DREn0000aA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00010-DREn00009A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00009-DREn00008A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00008-DREn00007A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00007-DREn00006A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00006-DREn00005A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00005-DREn00004A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00004-DREn00003A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00003-DREn00002A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00002-DREn00001A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00013-DREn0000cA - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00012-DREn0000bA - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00011-DREn0000aA - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00010-DREn00009A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00009-DREn00008A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00008-DREn00007A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00007-DREn00006A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: vlog: Current log size is 2441342 bytes
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00006-DREn00005A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00005-DREn00004A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00004-DREn00003A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00003-DREn00002A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00002-DREn00001A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:39:56 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00001-DREn00000A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:39:56 37787 testget1: <--- TRN: UVW024041800194GN00001-DREn00000A - S from [TEST.RCV.FROM.PQR@QM.PQRS103].
240418 06:37:45 37787 testget1: ===> TRN@instance_abc.RQ1: 34e4c77406e647d29859a7c3e0077cab1 [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:45 37787 testget1: <--- TRN: 34e4c77406e647d29859a7c3e0077cab1 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:37:28 37787 testget1: ===> TRN@instance_abc.RQ1: 17bd221de8f14fd09439fc2bb9564bed1 [Priority=Medium,ScanPriority=4, Rule: LOC=HK2; Cur=USD; Amt≥0; Srv=ALL; Recv@1565936557:00 00-00-0000].
240418 06:37:28 37787 testget1: <--- TRN: 17bd221de8f14fd09439fc2bb9564bed1 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00081-DREl00050A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00080-DREl0004fA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00079-DREl0004eA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00078-DREl0004dA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00077-DREl0004cA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00076-DREl0004bA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00059-DREl0003aA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00058-DREl00039A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00057-DREl00038A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00056-DREl00037A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00055-DREl00036A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00054-DREl00035A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00053-DREl00034A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00052-DREl00033A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00081-DREl00050A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00080-DREl0004fA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00079-DREl0004eA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00078-DREl0004dA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00077-DREl0004cA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00076-DREl0004bA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00071-DREl00046A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00057-DREl00038A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00056-DREl00037A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00055-DREl00036A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00054-DREl00035A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00053-DREl00034A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00052-DREl00033A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00051-DREl00032A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00050-DREl00031A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00049-DREl00030A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00048-DREl0002fA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00047-DREl0002eA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00031-DREl0001eA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00030-DREl0001dA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00029-DREl0001cA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00028-DREl0001bA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00027-DREl0001aA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00026-DREl00019A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00025-DREl00018A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00024-DREl00017A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: vlog: Current log size is 2427949 bytes
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00023-DREl00016A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00022-DREl00015A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00021-DREl00014A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00020-DREl00013A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00009-DREl00008A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00008-DREl00007A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00007-DREl00006A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00006-DREl00005A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00005-DREl00004A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00004-DREl00003A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00003-DREl00002A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00002-DREl00001A [Priority=Low,ScanPriority=0, Rule: Default Rule].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00051-DREl00032A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00050-DREl00031A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00049-DREl00030A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00048-DREl0002fA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00047-DREl0002eA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00046-DREl0002dA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00045-DREl0002cA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00044-DREl0002bA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00043-DREl0002aA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00042-DREl00029A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00036-DREl00023A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00035-DREl00022A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103].
240418 06:37:07 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00001-DREl00000A [Priority=Low,ScanPriority=0, Rule: Default Rule].
04-18-2024
04:04 AM
I need to create a dashboard panel merging two different search queries. I have below two queries: Kindly help on this request. index=test_index source=/applications/test/*instance_abc* ("<--- T...
See more...
I need to create a dashboard panel merging two different search queries. I have below two queries: Kindly help on this request. index=test_index source=/applications/test/*instance_abc* ("<--- TRN:" OR "Priority" OR "---> TRN:" OR "AP sent to" OR "AH sent to" OR "MP sent to")
| rex field=_raw "Priority\=(?<Priority>[^\,]+)"
| rex "(?:\={3}\>|\<\-{3})\s+TRN[^\:]*\:\s+(?<trn>[^\s]+)"
| rex "TEST\.RCV\.FROM\.(?<TestMQ>.*)\@"
| stats
count(eval(Priority=="Low")) as Low,
count(eval(Priority=="Medium")) as Medium,
count(eval(Priority=="High")) as High,
values(TestMQ) as TestMQ
by trn
| stats
sum(Low) as Low,
sum(Medium) as Medium,
sum(High) as High
by TestMQ
| addtotals fieldname="TotalCount"
| sort by TotalCount desc This gives me output as below: TestMQ | Low | Medium | High | TotalCount The 2nd query is below: index=test_index source=/applications/test/*instance_abc* ("<--- TRN:" OR "Priority" OR "---> TRN:" OR "AP sent to" OR "AH sent to" OR "MP sent to")
| eval field=split(source,"/")
| eval Instance=mvindex(field,4)
| chart count(eval(searchmatch("from"))) as Testget count(eval(searchmatch("sent to"))) as Testput count(eval(searchmatch("AP sent to"))) as AP count(eval(searchmatch("AH sent to"))) as AH count(eval(searchmatch("MP sent to"))) as MP by Instance
| eval Pending = Testget - (AP + AH)
| sort Testget desc This gives me output as below: Instance | Testget | Testput | AP | AH | MP | Pending I am looking for merging both the queries together and get the final output based on Pending volume for Low, Medium and High priority counts. Select: Low, Medium, High (From the Dashboard dropdown) Output Expected: TestMQ| Low-Testget | Low-Testput | Low-AP | Low-AH | Low-MP | Low-Pending TestMQ | Medium-Testget | Medium-Testput | Medium-AP | Medium-AH | Medium-MP | Medium-Pending TestMQ | High-Testget | High-Testput | High-AP | High-AH | High-MP | High-Pending
