All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi what you have in _raw data? Are those real duplicate events or those real events which really should be on logs? If those are correctly in logs and there should be "same" event twice, you probab... See more...
Hi what you have in _raw data? Are those real duplicate events or those real events which really should be on logs? If those are correctly in logs and there should be "same" event twice, you probably could mark "duplicates" with streamstats adding some count and then removing those duplicate on your stats count line? see.  https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Streamstats Something like ... | <set your service> | streamstats time_window=10s count as dup_count by service, <other fields to match events correctly> | where dup_count < 2 | stats .... r. Ismo 
Thanks for your suggestion I tried to simplify, but this is what I am trying to solve: https://community.splunk.com/t5/Splunk-Search/How-to-search-based-on-drop-down-condition/m-p/681366#M232829
You didn't tell what is your issue. You just told how you are trying to solve it! In splunk there are usually several ways to solve those and some are much better that other. Usually people whom are ... See more...
You didn't tell what is your issue. You just told how you are trying to solve it! In splunk there are usually several ways to solve those and some are much better that other. Usually people whom are not familiar with splunk try to use the second option .... You can see e.g. https://community.splunk.com/t5/Splunk-Search/How-to-return-a-single-value-from-a-subsearch-into-eval/m-p/681377#M232833 how to use "variables" on search etc.
sample Payload =========   sample payload: Dimension.id: xxxProcess.aspx Dimension.name: Literal Not Found MessageDeduplicationId: a901b712889217fc194cd0446a70325e aggregation: avg entity.... See more...
sample Payload =========   sample payload: Dimension.id: xxxProcess.aspx Dimension.name: Literal Not Found MessageDeduplicationId: a901b712889217fc194cd0446a70325e aggregation: avg entity.service.id: xxx entity.service.name:xxxx metric_name:calc:xxxx_ lr_tags: 1613759 resolution: 1m s ource.name: xxxx unit: MicroSecond
Modified Query ==========   | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics AN... See more...
Modified Query ==========   | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics AND source.name="DT_NonProd_SaaS" by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx") | dedup MessageDeduplicationId
Initial Query ==========   | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics AND... See more...
Initial Query ==========   | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics AND source.name="DT_NonProd_SaaS" by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx")
One comment for this workaround. It extracts those fields as expected, BUT if any event is shorter than 10241 (or whatever you have in limits.conf/kv stanza) character then you have duplicate fields ... See more...
One comment for this workaround. It extracts those fields as expected, BUT if any event is shorter than 10241 (or whatever you have in limits.conf/kv stanza) character then you have duplicate fields on those events! Basically you can try to remove duplicates e.g.  | mvexpand <field name> | dedup <field name> Usually this must done one field only. Anyhow this is just workaround until you can fix those values in limits.conf (kv stanza). See e.g. https://community.splunk.com/t5/Splunk-Search/Why-are-not-all-field-values-are-extracted-for-long-JSON-files/m-p/573446 
We are streaming Dynatrace metric data into Splunk, for some reason we are seeing duplicate 'MessageDeduplicationId'. So trying to avoid the duplicate entries using dedup command. But not retrieving ... See more...
We are streaming Dynatrace metric data into Splunk, for some reason we are seeing duplicate 'MessageDeduplicationId'. So trying to avoid the duplicate entries using dedup command. But not retrieving any results after using dedup command. Here is my initial query and getting results for this with duplicates- | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics AND source.name="DT_NonProd_SaaS" by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx") After adding dedup to avoid duplicate 'MessageDeduplicationId' , no results | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics AND source.name="DT_NonProd_SaaS" by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx") | dedup MessageDeduplicationId sample payload: Dimension.id: xxxProcess.aspx Dimension.name: Literal Not Found MessageDeduplicationId: a901b712889217fc194cd0446a70325e aggregation: avg entity.service.id: xxx entity.service.name:xxxx metric_name:calc:service.thaa_stress_requests_lr_tags: 1613759 resolution: 1m source.name: xxxx unit: MicroSecond
Did you ever figure out a solution to this?  Running into the same problem.  Seems that there is an issue with where the HEC key points, and the actual index that gets populated.   
Hi! I have an issue with a query and the dedup command.    | eval service=case( (method="GET" AND match(uri, "/v1/[a-zA-Z]{2}/customers\?.*searchString=[^&]+.*")), "FindCustomer", (method="G... See more...
Hi! I have an issue with a query and the dedup command.    | eval service=case( (method="GET" AND match(uri, "/v1/[a-zA-Z]{2}/customers\?.*searchString=[^&]+.*")), "FindCustomer", (method="GET" AND match(uri, "/v2/[A-Za-z]{2}/private-customers(/[a-zA-Z0-9-]+)?(?!/)")), "ReadCustomer") | stats count by service   Unfortunately I have been noticing that my events matching to "ReadCustomer" are logged twice. Therefore I get two events right after each other with a couple of seconds in between, which is polluting my results. I need to somehow duplicate events, which have the same uri and happen within 10s of each other. I was thinking to use    |dedup uri    but realized that I want to allow the same uri, if it is more than 10 seconds between the events. If dedup could take a span, that would be the optimal way for me. Does anyone have a good idea on how to solve this? I was also thinking about | transaction  as well but I'm not sure if I can use it...
Hi all, We used flutter appdynamics agent 23.3.0 and it shows crash stack trace in crash details from appd dashboard. However, it doesn't show anymore after we upgrade agent version to 23.12.0. It s... See more...
Hi all, We used flutter appdynamics agent 23.3.0 and it shows crash stack trace in crash details from appd dashboard. However, it doesn't show anymore after we upgrade agent version to 23.12.0. It shows only Exception name like this. I checked appd logs with verbose and it looks like it is sending crash report event with stack trace normally. Is there something that I was missing? Thanks.
Hello, I need to filter using search based on a condition instead of  | search no = "abc"         I need to make  "abc" as a variable Thanks, Marius
Thanks for this. Is it possible to pass the TIme value, which is calculated in the real time search, to the inputlookup, to filter out the required 'Values' for compare? I checked the documentation... See more...
Thanks for this. Is it possible to pass the TIme value, which is calculated in the real time search, to the inputlookup, to filter out the required 'Values' for compare? I checked the documentation on lookup and tried the solution you shared earlier, however, I am not getting the desired results. E.g. my lookup has 20 entries and real-time count only has 18, the final result is 18 entries with Found containing values only of those present in real-time check. The two missing entries are not displayed( null values under Found ).  Any suggestions on what might be the possible issue ?
@ITWhisperer  I ran... | makeresults count=3 | streamstats count as a | eval a=a+10, b=a+10, c=a+20 | format ...which gave... ( ( a="11" AND b="21" AND c="31" ) OR ( a="12" AND b="22" AND c="... See more...
@ITWhisperer  I ran... | makeresults count=3 | streamstats count as a | eval a=a+10, b=a+10, c=a+20 | format ...which gave... ( ( a="11" AND b="21" AND c="31" ) OR ( a="12" AND b="22" AND c="32" ) OR ( a="13" AND b="23" AND c="33" ) ) ...which tallies with fields/rows as 'AND'/'OR' but if don't understand output from your original example... | makeresults count=3 | streamstats count as a | eval a=a+10, b=a+10, c=a+20 | format 1 2 3 4 5 6 1 2 a="11" 3 b="21" 3 c="31" 4 5 2 a="12" 3 b="22" 3 c="32" 4 5 2 a="13" 3 b="23" 3 c="33" 4 6 ??    
transaction transactionId startswith="step=Before" endswith="step=After" | stats max(duration) as MaxRespTime avg(duration) as AvgRespTime min(duration) as MinRespTime by ESService This should do i... See more...
transaction transactionId startswith="step=Before" endswith="step=After" | stats max(duration) as MaxRespTime avg(duration) as AvgRespTime min(duration) as MinRespTime by ESService This should do it . 
I understand. Still, trying to run the search it returns no result... index=example host=* message_name=* AND profileId="example" AND "deviceClass":"example" AND "Message received: {"name":"screenV... See more...
I understand. Still, trying to run the search it returns no result... index=example host=* message_name=* AND profileId="example" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard"" | rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous" | where like(check,"%assetcard%")
correction : no need of alerts during 23:50 to 00:15
Hello All, Below is my alert script, and I dont want to have any alerts during night 11:50 to 00:25 midnight, however I am getting them and its triggering alert to the support team. this is the dai... See more...
Hello All, Below is my alert script, and I dont want to have any alerts during night 11:50 to 00:25 midnight, however I am getting them and its triggering alert to the support team. this is the daily restart window for interfaces and no need of alerts during this time. index=XXX sourcetype=XXX punct="--_::.,_=\"\"" | rex field=_raw "\d*-\d*-\d*\s(?<hour>\d*:\d*):\d*\S\d*\S" | search hour!=23:50 | search hour!=00:15 | table _time SITE Appreciate help on this.   Below is the sample event 2024-03-20 06:32:08.046, SITE="UU3"
Thank you bowesmana!. Really appreciate your help on this.   now I am greedy.... Can  I get query to get Max, Average, Minimum of each ESService?  
Hi as you can see this depends on case. You must also understand that SPL is not a programming language and for that reason it works differently than those. What is your use case / issue which you ... See more...
Hi as you can see this depends on case. You must also understand that SPL is not a programming language and for that reason it works differently than those. What is your use case / issue which you are trying to solve? r. Ismo