Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
08-31-2023
03:09 AM
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] ...
See more...
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] 2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX my current query: index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc" | table message status description
08-31-2023
02:57 AM
What events do you have ingested into Splunk showing this condition?
08-31-2023
02:57 AM
But we have some events of job in indexA and some events of job in indexB ,suppose if we want to create a table all events of same job,how can we do that
08-31-2023
02:55 AM
1 Karma
Try it in Splunk not regex101.com | makeresults
| fields - _time
| eval _raw="command:RESTORE LABELONLY FROM DISK=@P1
command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql'
command:RESTORE VERIFYONLY ...
See more...
Try it in Splunk not regex101.com | makeresults
| fields - _time
| eval _raw="command:RESTORE LABELONLY FROM DISK=@P1
command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql'
command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql'
command:RESTORE LABELONLY FROM DISK=@P1
command:sp_addlinkedsrvlogin
command:RESTORE LABELONLY FROM DISK=@P1"
| multikv noheader=t
| fields _raw
| rex "command:(?<firstwords>\w+(\s\w+)?)"
08-31-2023
02:53 AM
1 Karma
You literally said "add new row"! If you just want the difference, try this | eval difference=count_carmen-inserts-updates-errors
08-31-2023
02:45 AM
Hi, It seems that it doesn't work for line sp_addlinkedsrvlogin, i get this word and the word of the next line. If there is only one word one the line, i need to get only these word. Regards T...
See more...
Hi, It seems that it doesn't work for line sp_addlinkedsrvlogin, i get this word and the word of the next line. If there is only one word one the line, i need to get only these word. Regards Tchounga
08-31-2023
02:38 AM
Hi, I am looking for a query to get list of DBConnect exceptions with their timestamp in order to plot them in a graph. Thank you Kind regards Marta
Labels
- Labels:
-
using Splunk Cloud
08-31-2023
02:33 AM
It is giving me a new column and row what if I only wants a column of field name difference.
- Tags:
- ing me
08-31-2023
02:31 AM
1 Karma
Hi @jamaluddin-k, as you can see in the following question (https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-and-all-logs/m-p/506184) I had the same ...
See more...
Hi @jamaluddin-k, as you can see in the following question (https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-and-all-logs/m-p/506184) I had the same problem and I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog. Ciao. Giuseppe
08-31-2023
02:27 AM
Hi @gcusello , I see, That was a big gap on my end. But I also already had tried the Syslog Forwarding section on the URL you shared. I was not able to receive any data at the syslog server. My out...
See more...
Hi @gcusello , I see, That was a big gap on my end. But I also already had tried the Syslog Forwarding section on the URL you shared. I was not able to receive any data at the syslog server. My output.conf file is as simple as below. [syslog]
defaultGroup=syslogGroup
[syslog:syslogGroup]
server = 192.168.6.158:514 I initially felt that the syslog server configuration might have some issue or maybe network, but no I was able to send TCP message to the syslog server from the Splunk Enterprise VM Instance. Only the data from Splunk is not getting forwarded. Both the Sysylog Server VM and Splunk Enterprise VM are in the same network. Just curious, is the defaultGroup parameter got to do something here? Thanks for your help.
08-31-2023
02:16 AM
schedule_search is all you need from my experience
08-31-2023
02:05 AM
Hi Team, we are observing below error while accessing analytic page, what could be reason of it?
Labels
- Labels:
-
Business iQ (Analytics)
08-31-2023
02:05 AM
This worked, thanks a lot Good day.
08-31-2023
02:00 AM
| rex "command:(?<firstwords>\w+(\s\w+)?)"
08-31-2023
01:56 AM
1 Karma
If I understand correctly, you could try something like this: | eval src=case(src="retailautonomyfileage" AND Fname="mdmdat", "retailautonomyfileage1", src="retailautonomyfileage" AND Fname="omsdat"...
See more...
If I understand correctly, you could try something like this: | eval src=case(src="retailautonomyfileage" AND Fname="mdmdat", "retailautonomyfileage1", src="retailautonomyfileage" AND Fname="omsdat", "retailautonomyfileage2", src="retailautonomyfileage" AND Fname="promodat", "retailautonomyfileage3", true(), src)
| eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed"))
OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed"))
OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed"))
OR ((src="retailautonomyfileage1" OR src="retailautonomyfileage2") AND Age>240) OR (src="retailautonomyfileage3" AND Age>120)
OR (src="retaillineitemdup" AND Count>0)
OR (src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
08-31-2023
01:53 AM
Hi, I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VER...
See more...
Hi, I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql' command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql' command:RESTORE LABELONLY FROM DISK=@P1 command:sp_addlinkedsrvlogin command:RESTORE LABELONLY FROM DISK=@P1 I need to have set the field command with these value from these data : RESTORE LABELONLY RESTORE VERIFYONLY RESTORE VERIFYONLY RESTORE LABELONLY sp_addlinkedsrvlogin RESTORE LABELONLY I will apreciate some help to have the correct syntax for rex. Regards
Labels
- Labels:
-
rex
08-31-2023
01:47 AM
Hi @man03359, as I already asked, do you have the same issue also dividing the eval command by src? | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") A...
See more...
Hi @man03359, as I already asked, do you have the same issue also dividing the eval command by src? | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) ,"Down","Up")
| eval status=if(src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down","Up")
| eval status=if(src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down","Up")
| eval status=if(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))),"Down","Up")
| eval status=if(src="retaillineitemdup" AND Count>0),"Down","Up")
| eval status=if(src="esbmessagecount" AND MsgCount>5),"Down","Up")
| stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain Ciao. Giuseppe
08-31-2023
01:36 AM
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_Index...
See more...
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain I am facing problem in line no 4 which is - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). The source "retailautonomyfileage has 3 filenames (Fname="mdmdat" , Fname="omsdat", Fname="promodat") and when I do the stats count, not sure why it is counting the sum of all 3 filenames altogether in the output (18 instead of 6)- Output- Device Store src host Chain StoreNum Domain count stp-020sql1 stp0020 DB_Rebuild_Indexes_UpdateStats_MDM stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 DB_Stop_IndexRebuild_Jobs stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyPromotionsDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 esbmessagecount stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 retailautonomyfileage stp-020sql1.stp.local stp 20 stp.local 18 stp-020sql1 stp0020 retaillineitemdup stp-020sql1.stp.local stp 20 stp.local 6 stp-089sql1 stp0089 DB_Rebuild_Indexes_UpdateStats_MDM stp-089sql1.stp.local stp 89 stp.local 6 stp-089sql1 stp0089 DB_Stop_IndexRebuild_Jobs stp-089sql1.stp.local stp 89 stp.local 6 I am trying to break it into 3 lines under the search query . eg (src="retailautonomyfileage1") AND (Fname="mdmdat" AND Age>240)) (src="retailautonomyfileage2" AND (Fname="omsdat" AND Age>240)) (src="retailautonomyfileage3" AND (Fname="promodat" AND Age>120)) Not sure how I can obtain that. Please help. Thanks in Advance.
Labels
- Labels:
-
alert action
-
alert condition
08-31-2023
01:13 AM
Alternatively, you could look at using CSS to modify the fill pattern used. There are a number of issues with this. Firstly, the pattern must have been visible on your dashboard. Secondly, for column...
See more...
Alternatively, you could look at using CSS to modify the fill pattern used. There are a number of issues with this. Firstly, the pattern must have been visible on your dashboard. Secondly, for column charts for example, the "bars" are defined as a path for each series; this means that the pattern is applied across the whole series, not each bar separately. Thirdly, the image used must be available. In this example, I have used the app icon <row>
<panel>
<html>
<svg version="1.1" height="100" width="200">
<defs>
<pattern id="imagefiller" patternUnits="userSpaceOnUse" width="500" height="500">
<rect style="fill:blue" width="500" height="500"/>
<image href="/en-GB/splunkd/__raw/servicesNS/username/application/static/appIcon_2x.png" x="20" y="100" width="30" height="30" />
</pattern>
</defs>
<g>
<rect style="fill:url(#imagefiller)" width="150" height="90"/>
</g>
</svg>
<style>
#filler g.highcharts-series path.highcharts-graph {
fill: url(#imagefiller);
}
</style>
</html>
</panel>
<panel>
<chart id="filler">
<search>
<query>| makeresults count=5
| eval value=random()%5
| eval series=mvindex(split("ABC",""),random()%3)
| chart sum(value) by series</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
