Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About fisuser1
fisuser1
Contributor
Member since:
01-23-2013
10-29-2020
Community Statistics
| Posts | 95 |
| Solutions | 3 |
| Karma Given | 16 |
| Karma Received | 9 |
| Member Since | 01-23-2013 |
Activity Feed
- Got Karma for ui_inactivity_timeout - web.conf. 03-22-2024 08:37 AM
- Got Karma for ui_inactivity_timeout - web.conf. 10-22-2021 10:00 AM
- Karma Re: Could not use strptime to parse timestamp " for to4kawa. 10-23-2020 11:16 AM
- Posted Could not use strptime to parse timestamp " on Splunk Search. 10-23-2020 09:19 AM
- Got Karma for ui_inactivity_timeout - web.conf. 06-05-2020 12:51 AM
- Karma Re: dump command - indexer cluster question for koshyk. 06-05-2020 12:50 AM
- Karma Health warning - The percentage of small of buckets created (40) over the last hour is very high ... for goran_epl. 06-05-2020 12:50 AM
- Karma Re: How do you create a regex that keeps only specific events? for ddrillic. 06-05-2020 12:50 AM
- Karma Re: linebreak on expression passed into log for maciep. 06-05-2020 12:50 AM
- Karma Re: Heavy Forwarder routing to two seperate indexer clusters for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: Major boot-start change with 7.2.3 for satyenshah. 06-05-2020 12:50 AM
- Karma Re: Appendcols not lining up Total Volume by SLA Volume for DavidHourani. 06-05-2020 12:50 AM
- Got Karma for Re: dump command - indexer cluster question. 06-05-2020 12:50 AM
- Got Karma for Appendcols not lining up Total Volume by SLA Volume. 06-05-2020 12:50 AM
- Karma Re: Why is the chart only valuing 15% above calculated average response? for renjith_nair. 06-05-2020 12:49 AM
- Got Karma for Re: How do I present run time values for the past 30 days, but only display those that are greater than the average?. 06-05-2020 12:49 AM
- Got Karma for Re: Why is the chart only valuing 15% above calculated average response?. 06-05-2020 12:49 AM
- Karma Re: Where do I put the outputs.conf file to disable indexing on my search head? for mrgibbon. 06-05-2020 12:48 AM
- Karma Re: line-break issues in events for woodcock. 06-05-2020 12:48 AM
- Got Karma for line-break issues in events. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-30-2019
01:37 PM
working regex before log format change, which was extracting http_status
\b(?<http_status>\d{3}) \d
... View more
05-30-2019
01:37 PM
this was the working regex before they changed format
\b(?<http_status>\d{3}) \d
... View more
05-30-2019
01:32 PM
another example:
2019-05-30 10:56:06 127.0.0.1 GET /api/accounts/3448122/account-history timePeriod=1&type=1&amount=&check=&description=&startfromIndex=150 1101 {"UserId":9999999,"Username":"mr_blah","Realm":"111906271","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/59.0.3071.115+Safari/537.36 https://online.com/ORUI/ 200 0 0 250 127.0.0.1
... View more
05-30-2019
01:30 PM
this will be done via props. trying to match on the http_status value only, ie 200 or 401 in the raw data provided. the current regex I provided is matching on both "fromIndex=" AND http status fields after the application team changed the log format.
... View more
05-30-2019
01:28 PM
Thanks for the response @martinpu. actually, for whatever reason, the answers.splunk.com format added that. there are no ** around the status codes in the logs. These are IIS logs. Not sure why the format of this page added them. Pasting a few examples again.
2019-05-30 11:26:48 127.0.0.1 GET /javascript/MenuDropItems.js v=1801 1101 - 10.237.0.43 Mozilla/5.0+(Linux;+Android+8.0.0;+SM-G930T)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.157+Mobile+Safari/537.36 https://online.com/PassMarkRecognizedAdv.aspx?qs=b2TU7c2wr8E0dfptJiVc6osqODJNVVaa6UZusUsRdZI%3d 200 0 0 0 127.0.0.1
2019-05-30 10:56:06 127.0.0.1 GET /api/accounts/3448122/account-history timePeriod=1&type=1&amount=&check=&description=&startfromIndex=150 1101 {"UserId":carl,"Username":"mr_blah","Realm":"111906271","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/59.0.3071.115+Safari/537.36 https://online.com/ORUI/ 200 0 0 250 127.0.0.1
2019-05-30 10:55:57 127.0.0.1 GET /064107994/api/accounts/17004/account-history timePeriod=03/01/2019,05/30/2019&type=1&amount=&check=&description=&startfromIndex=150 80 {"UserId":carl,"Username":"mr_blah","Realm":"064107994","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:61.0)+Gecko/20100101+Firefox/61.0 https://www.banking.com/064107994/ORUI/index.html 200 0 0 1062 127.0.0.1
2019-05-30 10:54:59 127.0.0.1 GET /api/accounts/55233/account-history timePeriod=1&type=1&amount=&check=&description=&startfromIndex=150 1120 {"UserId":carl,"Username":"mr_blah","Realm":"091302966","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/59.0.3071.115+Safari/537.36 https://choicefinancialgroup.ebanking-services.com/ORUI/ 200 0 0 2375 127.0.0.1
2019-05-30 10:54:54 10.237.66.52 GET /api/accounts/69173/account-history timePeriod=1&type=1&amount=&check=&description=&startfromIndex=150 1150 {"UserId":carl,"Username":"mr_blah","Realm":"221971015","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://onlinebanking.rhinebeckbank.com/ORUI/ 200 0 0 734 127.0.0.1
... View more
05-30-2019
12:14 PM
thx for the response, but this doesn't seem to extract any field, http_status, in from the raw data
... View more
05-30-2019
11:21 AM
have a business area that changed some of their log format which broke my existing regex and having a hard time matching response code. seems my existing regex is pulling two matches from each event. (matching "fromIndex=150" or
*"fromIndex=100"* also in the event) any suggestions to edit this?
Existing regex: (working before log format change)
\b(?<**http_status**>\d{3}) \d
_raw data:
2019-05-30 17:52:15 127.0.0.1 GET /api/accounts/19006/account-history timePeriod=&type=&amount=&check=&description=&*startfromIndex=100* 1123 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"061120534","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://my.bankingsite.com/ORUI/ **200** 0 0 3531 127.0.0.1
2019-05-30 17:52:05 127.0.0.1 GET /api/accounts/67343/account-history timePeriod=7&type=1&amount=&check=&description=&*startfromIndex=100* 1124 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"061120686","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 875 127.0.0.1
2019-05-30 17:52:03 127.0.0.1 GET /api/accounts/46850/account-history timePeriod=&type=&amount=&check=&description=&*startfromIndex=100* 1120 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"091302966","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(Linux;+Android+7.0;+SM-G928V)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/73.0.3683.90+Mobile+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 3578 127.0.0.1
2019-05-30 17:51:51 127.0.0.1 GET /103103985/api/accounts/33098/account-history timePeriod=&type=&amount=&check=&description=&*startfromIndex=100* 80 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"103103985","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://my.bankingsite.com/103103985/ORUI/ **200** 0 0 562 127.0.0.1
2019-05-30 17:51:50 127.0.0.1 GET /api/accounts/14342/account-history timePeriod=03/22/2019,05/30/2019&type=1&amount=&check=&description=&*startfromIndex=100* 1111 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"061120806","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:61.0)+Gecko/20100101+Firefox/61.0 https://my.bankingsite.com/ORUI/index.html 200 0 0 1718 127.0.0.1
2019-05-30 17:51:47 127.0.0.1 GET /api/accounts/128235/account-history timePeriod=1&type=1&amount=&check=&description=&*startfromIndex=100* 1101 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"053102586","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 484 127.0.0.1
2019-05-30 17:51:43 127.0.0.1 GET /api/accounts/57435/account-history timePeriod=7&type=1&amount=&check=&description=&*startfromIndex=100* 1112 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"064106775","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 1125 127.0.0.1
2019-05-30 17:51:41 127.0.0.1 GET /api/accounts/66752/account-history timePeriod=1&type=1&amount=&check=&description=&*startfromIndex=100* 1150 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"221971015","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 187 127.0.0.1
2019-05-30 17:51:35 127.0.0.1 GET /api/accounts/290903/account-history timePeriod=1&type=1&amount=&check=&description=&*startfromIndex=100* 1127 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"102000966","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 1562 127.0.0.1
2019-05-30 17:51:32 127.0.0.1 GET /api/accounts/36874/account-history timePeriod=1&type=1&amount=&check=&description=&*startfromIndex=100* 1107 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"063114030","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 875 127.0.0.1
2019-05-30 17:51:30 127.0.0.1 GET /api/accounts/24299/account-history timePeriod=&type=&amount=&check=&description=&*startfromIndex=100* 1135 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"111908965","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://my.bankingsite.com/ORUI/ **200** 0 0 6703 127.0.0.1
2019-05-30 17:51:17 127.0.0.1 GET /api/accounts/389912/account-history timePeriod=1&type=1&amount=&check=&description=&*startfromIndex=100* 1127 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"102000966","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.125+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 765 127.0.0.1
2019-05-30 17:51:01 127.0.0.1 GET /pahranagatvalleyfcu/api/accounts/4058/account-history timePeriod=09/27/2016,05/30/2019&type=1&amount=&check=&description=&*startfromIndex=100* 1101 {"{“UserId”:crazy_carl,”Username”:”foo”,"Realm":"003381.MERCURY","sessionTimeout":"20","ipAddress”:”127.1.1.1”} 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:61.0)+Gecko/20100101+Firefox/61.0 https://my.bankingsite.com/PahranagatValleyFCU/ORUI/index.html **200** 0 0 6546 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /api/system/logoff - 1118 - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_4)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Safari/605.1.15 https://my.bankingsite.com/ORUI/ **401** 0 0 0 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /api/personalfinance/ widgetName=mini_spending_widget&sync=true 1118 - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_4)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Safari/605.1.15 https://my.bankingsite.com/ORUI/ **401** 0 0 0 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /api/system/logoff - 1118 - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_4)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Safari/605.1.15 https://my.bankingsite.com/ORUI/ **401** 0 0 15 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /api/system/logoff - 1118 - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_4)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Safari/605.1.15 https://my.bankingsite.com/ORUI/ **401** 0 0 0 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /api/personalfinance/ widgetName=mini_spending_widget&sync=true 1118 - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_4)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Safari/605.1.15 https://my.bankingsite.com/ORUI/ **401** 0 0 15 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /api/system/logoff - 1118 - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_4)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Safari/605.1.15 https://my.bankingsite.com/ORUI/ **401** 0 0 0 127.0.0.1
2019-05-30 18:03:26 127.0.0.1 GET /CommCUofNewMilford/api/users/22/getholdamount accountId=2175 1101 {"UserId”:crazy_carl,”Username”:”foo”,”Realm":"003042.MERCURY","sessionTimeout":"20","ipAddress":"107.77.224.32"} 127.0.0.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+12_2+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1+Mobile/15E148+Safari/604.1 https://my.bankingsite.com/CommCUofNewMilford/ORUI/ **200** 0 0 109 127.0.0.1
2019-05-30 18:03:25 127.0.0.1 GET /api/users/22/accounts assetSortOrder=ASC&assetDefaultSortColumn=accountName&investmentSortOrder=ASC&investmentDefaultSortColumn=accountName&liabilitiesortOrder=ASC&liabilitiesDefaultSortColumn=accountName&externalSortOrder=ASC&externalDefaultSortColumn=accountName&ccSortOrder=ASC&ccDefaultSortColumn=accountName 1101 {"UserId”:crazy_carl,”Username”:”foo”,”Realm":"111906271","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(Linux;+Android+9;+SM-G955U)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.157+Mobile+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 140 127.0.0.1
2019-05-30 18:03:25 127.0.0.1 GET /login.aspx ReturnUrl=%2fORUI%2f 1101 - 127.0.0.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+12_3_1+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/12.1.1+Mobile/15E148+Safari/604.1 - **200** 0 0 46 172.58.99.130
2019-05-30 18:03:25 127.0.0.1 GET /api/users/22/scorecardrewards - 1101 {"UserId”:crazy_carl,”Username”:”foo”,”Realm":"111906271","sessionTimeout":"20","ipAddress":"127.0.0.1"} 127.0.0.1 Mozilla/5.0+(Linux;+Android+9;+SM-G955U)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.157+Mobile+Safari/537.36 https://my.bankingsite.com/ORUI/ **200** 0 0 46 127.0.0.1
2019-05-30 18:03:25 127.0.0.1 GET /ORUI/index.html - 1101 {"UserId”:crazy_carl,”Username”:”foo”,”Realm":"111906271","sessionTimeout":"20","ipAddress":"127.0.0.1 "} 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 https://my.bankingsite.com/PassMarkRecognizedAdv.aspx?qs=b2TU7c2wr8E0dfptJiVc6osqODJNVVaa6UZusUsRdZI%3d **200** 0 0 125 127.0.0.1
2019-05-30 18:03:25 127.0.0.1 GET /OOBChallenge.aspx qs=cUlHrH9oGju91rnRg%2bOmkzrLhg8Oc0ZMSvVHZDwpaoNAhY0dPG6o3WXkCMUZMARx61iChJjKqmntkcKCmNEX9oD2KDmMage%2fb2TU7c2wr8E0dfptJiVc6osqODJNVVaan3drqxuh3WzZy%2fva1rs6RM9OaC59wRrRZ2yA%2bDcWz7lmJSZPd2bHwWdceDRZ9bE2QNZL%2f5%2fuohrofoZvlVaPJA%3d%3d 1101 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko https://my.bankingsite.com/SignOn.aspx?qs=nLl1ZWczEjHofoZvlVaPJA%3d%3d **200** 0 0 453 127.0.0.1
... View more
05-27-2019
04:00 PM
Hi @DavidHourani , funny I had the same idea in mind. I already applied this to the HF and it seems to be working as expected. Thanks again for all the suggestions.
... View more
05-24-2019
07:27 AM
Thanks again @DavidHourani, I did apply it on the HF, nulled out of the indexer cluster and restated both. Still no luck. Verified via btool all looks correct. just at a loss here why this is not working. doesn't make sense.
[/opt/splunk/etc/system/local]
$ /opt/splunk/bin/splunk cmd btool props list emea_prd_aps_auths_cortex_logs | grep SEDCMD
SEDCMD-purge = s/^(?!##TUXIF).+//g
... View more
05-24-2019
04:42 AM
Hi @DavidHourani , thanks for the response. Yes, I have validated the sourcetype is correct and restarted the indexer cluster nodes after I applied the props.conf change. This data is moving through a heavy forwarder and while I did try this same sedcmd on both the HF (set this in system/local on the HF just to verify no inheritance issues) and the indexer cluster, neither works as expected.
... View more
05-24-2019
04:22 AM
Having issues with a sedcmd in my props. When I test this in my dev environment, I see expected results. However, when I apply this to my distributed environment and push it to my indexers, I am not seeing the same results. Does not seem to be stripping the excess data when applied to the indexer cluster. Also, I did try this in a props.conf on a HF fronting our cluster, and still did not work.
props.conf
[my_lil_old_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=15
disabled=false
TIME_FORMAT=%Y%m%d:%H%M%S
TIME_PREFIX=##TUXIF:
TZ=GMT
SEDCMD-purge=s/^(?!##TUXIF).+//g
DEV results: (good)
TUXIF:20190523:164904:000001.273:529021******2906/0:110:100:1:MCRD->APS:150.000:978:2052658003:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.450:550129******1803/0:110:100:0:MCRD->FRT:22.800:978:118875070:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.346:446223******7606/0:110:100:0:VISA->BOV:760.000:826:118875080:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.257:559147******8697/0:110:100:0:MCRD->BNK:1.800:978:118875090:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.385:446223******3604/0:110:100:0:VISA->BOV:7.000:826:118875060:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.412:550129******3036/0:110:100:0:MCRD->FRT:2.300:978:118875050:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.231:446223******3902/0:110:100:0:VISA->BOV:14.710:826:118875065:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.285:479613******0487/0:110:100:0:VISA->PMM:3.100:826:118875055:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.248:557418******4844/0:110:100:0:MCRD->PCT:20.050:826:118875040:0/00:NP:NP:NP
TUXIF:20190523:164904:000000.216:465850******1704/0:110:100:0:VISA->BOV:4.730:826:118875045:0/00:NP:NP:NP
TUXIF:20190523:164904:000002.785:472628******5886/0:110:100:0:VISA->PKT:2.750:826:118874935:0/00:NP:NP:NP
TUXIF:20190523:164903:000000.122:401773******6492/0:110:100:0:VISA->GVS:38.000:978:118875035:1/16:NP:NP:Insufficient Funds ! (Txn amount 38.000 (including commission 0.000), Available amount 30.000, Override 0.000 )
TUXIF:20190523:164903:000000.293:446223******6804/0:110:100:0:VISA->BOV:2.990:826:118875030:0/00:NP:NP:NP
TUXIF:20190523:164903:000000.598:550129******9908/0:110:100:0:MCRD->FRT:37.000:978:118874990:0/00:NP:NP:NP
TUXIF:20190523:164903:000000.218:446223******8302/0:110:100:0:VISA->BOV:9.690:826:118875025:0/00:NP:NP:NP
TUXIF:20190523:164903:000000.337:557362******0812/0:110:100:0:MCRD->ANP:16.060:978:118875020:0/00:NP:NP:NP
TUXIF:20190523:164903:000000.593:533935******3582/0:110:100:0:MCRD->PSH:92.250:978:118874985:0/00:NP:NP:NP
TUXIF:20190523:164903:000000.283:511656******0698/0:110:100:1:MCRD->ACL:203.500:840:118875000:0/00:NP:NP:NP
TUXIF:20190523:164903:000002.552:472628******8479/0:110:100:0:VISA->PKT:3.200:826:118874900:0/00:NP:NP:NP
TUXIF:20190523:164903:000002.596:472628******5328/0:110:100:0:VISA->PKT:1.000:826:118874895:0/00:NP:NP:NP
raw log data (without stripping data)
3528484:20190523:16490195:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/06/559147_2406_0001]
TUXIF:20190523:164902:000000.394:559147******2406/0:110:100:0:MCRD->BNK:26.950:949:118874950:0/00:NP:NP:NP
6161662:20190523:16490245:TUXCLT:slfdbg.c:1033:Could not SET NAME BY PAN - NO PAN AVAILABLE !
******************************** TUXCLT service ********************************
6161662:20190523:16490245:TUXCLT:slfdbg.c: 667:Service called with:
C_FNCODE 831
I_REQ_CHARSET 0
C_STAN 704534
46923944:20190523:16490128:TUXIF :slfdbg.c:1252:Setting file to I_DBGFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/47/540450_6247_0007]
TUXIF:20190523:164901:000000.261:540450******6247/0:110:100:1:MCRD->APS:40.000:826:2052657978:1/16:NP:NP:Insufficient Funds ! (Txn amount 40.500 (including commission 0.500), Available amount 4.930, Override 0.000 )
40239190:20190523:16490090:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/71/529021_6671_0006]
TUXIF:20190523:164901:000000.628:529021******6671/0:110:100:0:MCRD->APS:147.440:826:2052657973:0/00:NP:NP:NP
37748910:20190523:16490158:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/49/540450_2249_0002]
TUXIF:20190523:164901:000000.244:540450******2249/0:110:100:0:MCRD->APS:9.480:826:2052657988:0/00:NP:NP:NP
49217788:20190523:16490051:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/85/516240_0385_0003]
TUXIF:20190523:164901:000001.363:516240******0385/0:110:100:0:MCRD->YTG:100.000:702:2052657968:0/00:NP:NP:NP
35782700:20190523:16490133:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/00/516240_1200_0002]
TUXIF:20190523:164901:000000.573:516240******1200/0:110:100:0:MCRD->YTG:27.080:840:2052657983:0/00:NP:NP:NP
50921508:20190523:16490184:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/28/540450_8228_0006]
TUXIF:20190523:164902:000000.231:540450******8228/0:110:100:0:MCRD->APS:12.000:826:2052657993:0/00:NP:NP:NP
39190644:20190523:16490207:TUXCLT:slfdbg.c:1033:Could not SET NAME BY PAN - NO PAN AVAILABLE !
******************************** TUXCLT service ********************************
39190644:20190523:16490207:TUXCLT:slfdbg.c: 667:Service called with:
C_FNCODE 831
I_REQ_CHARSET 0
C_STAN 705292
C_RRN 914315704534
C_RSPCODE 00
M_SEVCODE TUXIF
M_SEVCODE TUXCLT
6161662:20190523:164902:TUXCLT:GSM: Event ev_ok
6161662:20190523:16490245:TUXCLT:GSM: State st_return (0.00)[0.00]
6161662:20190523:16490245:TUXCLT:xcltsm.c: 545:M_err: 0
6161662:20190523:164902:TUXCLT:GSM: event DEFAULT [0]
6161662:20190523:16490245:TUXCLT: tuxif.c: 340:TUXCLT Return: TPSUCCESS
************************* Start of Fielded Buffer Diff *************************
Diff FB's : (+)Added by svc, (-) Deleted by svc, (C) Changed by svc
(C) C_MSGFN [0] : from 0 to 1
(+) C_ACTIONCODE [0] : 8
(+) C_RSPCODE [0] : 00
*************************** ntp_return from : TUXCLT ***************************
30344220:20190523:16490147:TUXIF :slfdbg.c:1252:Setting file to I_DBGFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/14/528838_8914_0003]
TUXIF:20190523:164902:000001.218:528838******8914/0:110:100:1:MCRD->NET:50.000:978:118874945:0/00:NP:NP:NP
21824832:20190523:16490003:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/04/472628_0904_0001]
TUXIF:20190523:164902:000002.656:472628******0904/0:110:100:0:VISA->PKT:46.900:826:118874865:0/00:NP:NP:NP
45745202:20190523:16490258:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/04/446223_5904_0048]
TUXIF:20190523:164902:000000.235:446223******5904/0:110:100:0:VISA->BOV:6.990:826:118874955:0/00:NP:NP:NP
36046094:20190523:16490022:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/84/472628_4984_0003]
TUXIF:20190523:164902:000002.656:472628******4984/0:110:100:0:VISA->PKT:2.000:826:118874875:0/00:NP:NP:NP
36767094:20190523:16490266:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/04/446223_9804_0083]
TUXIF:20190523:164902:000000.319:446223******9804/0:110:100:0:VISA->BOV:1.000:978:118874960:0/00:NP:NP:NP
61015798:20190523:16490270:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/95/459340_6895_0009]
TUXIF:20190523:164903:000000.295:459340******6895/0:110:100:0:VISA->SDS:6.440:978:118874965:0/00:NP:NP:NP
1377470:20190523:16490301:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/12/550129_3212_0007]
5702746:20190523:16490284:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/76/479613_7376_0004]
TUXIF:20190523:164903:000000.295:479613******7376/0:110:100:0:VISA->PMM:7.320:826:118874975:0/00:NP:NP:NP
1377470:20190523:16490302:TUXIF :slfdbg.c:1252:Setting file to I_DBGFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/12/550129_3212_0007]
TUXIF:20190523:164903:000000.245:550129******3212/0:110:100:1:MCRD->FRT:403.000:978:118874980:1/16:NP:NP:Insufficient Funds ! (Txn amount 405.000 (including commission 2.000), Available amount 218.360, Override 0.000 )
62064218:20190523:16490329:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/98/511656_0698_0000]
43189706:20190523:16490335:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/93/472628_4893_0001]
27919656:20190523:16490336:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/94/472628_3194_0002]
6161730:20190523:16490322:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/66/401773_4766_0001]
TUXIF:20190523:164903:000000.195:401773******4766/0:110:100:0:VISA->GVS:5.000:978:118874995:0/00:NP:NP:NP
52757842:20190523:16490330:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/38/401773_3438_0005]
TUXIF:20190523:164903:000000.167:401773******3438/0:110:100:0:VISA->GVS:11.970:978:118875005:1/16:NP:NP:Insufficient Funds ! (Txn amount 11.970 (including commission 0.000), Available amount 10.030, Override 0.000 )
29362098:20190523:16490089:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/28/472628_5328_0006]
TUXIF:20190523:164903:000002.596:472628******5328/0:110:100:0:VISA->PKT:1.000:826:118874895:0/00:NP:NP:NP
41223354:20190523:16490094:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/79/472628_8479_0003]
TUXIF:20190523:164903:000002.552:472628******8479/0:110:100:0:VISA->PKT:3.200:826:118874900:0/00:NP:NP:NP
62064218:20190523:16490331:TUXIF :slfdbg.c:1252:Setting file to I_DBGFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/98/511656_0698_0000]
TUXIF:20190523:164903:000000.283:511656******0698/0:110:100:1:MCRD->ACL:203.500:840:118875000:0/00:NP:NP:NP
65406164:20190523:16490304:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/82/533935_3582_0001]
TUXIF:20190523:164903:000000.593:533935******3582/0:110:100:0:MCRD->PSH:92.250:978:118874985:0/00:NP:NP:NP
15664278:20190523:16490339:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/12/557362_0812_0000]
TUXIF:20190523:164903:000000.337:557362******0812/0:110:100:0:MCRD->ANP:16.060:978:118875020:0/00:NP:NP:NP
43647120:20190523:16490353:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/02/446223_8302_0072]
TUXIF:20190523:164903:000000.218:446223******8302/0:110:100:0:VISA->BOV:9.690:826:118875025:0/00:NP:NP:NP
34997348:20190523:16490316:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/08/550129_9908_0003]
TUXIF:20190523:164903:000000.598:550129******9908/0:110:100:0:MCRD->FRT:37.000:978:118874990:0/00:NP:NP:NP
32572628:20190523:16490366:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/04/446223_6804_0063]
TUXIF:20190523:164903:000000.293:446223******6804/0:110:100:0:VISA->BOV:2.990:826:118875030:0/00:NP:NP:NP
39061038:20190523:16490386:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/92/401773_6492_0001]
TUXIF:20190523:164903:000000.122:401773******6492/0:110:100:0:VISA->GVS:38.000:978:118875035:1/16:NP:NP:Insufficient Funds ! (Txn amount 38.000 (including commission 0.000), Available amount 30.000, Override 0.000 )
21497278:20190523:16490131:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/86/472628_5886_0001]
TUXIF:20190523:164904:000002.785:472628******5886/0:110:100:0:VISA->PKT:2.750:826:118874935:0/00:NP:NP:NP
10880444:20190523:16490389:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/04/465850_1704_0007]
TUXIF:20190523:164904:000000.216:465850******1704/0:110:100:0:VISA->BOV:4.730:826:118875045:0/00:NP:NP:NP
48039384:20190523:16490389:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/44/557418_4844_0004]
TUXIF:20190523:164904:000000.248:557418******4844/0:110:100:0:MCRD->PCT:20.050:826:118875040:0/00:NP:NP:NP
15402590:20190523:16490393:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/87/479613_0487_0002]
TUXIF:20190523:164904:000000.285:479613******0487/0:110:100:0:VISA->PMM:3.100:826:118875055:0/00:NP:NP:NP
62981760:20190523:16490405:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/02/446223_3902_0078]
TUXIF:20190523:164904:000000.231:446223******3902/0:110:100:0:VISA->BOV:14.710:826:118875065:0/00:NP:NP:NP
14091452:20190523:16490390:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/36/550129_3036_0003]
TUXIF:20190523:164904:000000.412:550129******3036/0:110:100:0:MCRD->FRT:2.300:978:118875050:0/00:NP:NP:NP
6555816:20190523:16490404:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/04/446223_3604_0055]
TUXIF:20190523:164904:000000.385:446223******3604/0:110:100:0:VISA->BOV:7.000:826:118875060:0/00:NP:NP:NP
29165424:20190523:16490442:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/97/559147_8697_0003]
TUXIF:20190523:164904:000000.257:559147******8697/0:110:100:0:MCRD->BNK:1.800:978:118875090:0/00:NP:NP:NP
51381636:20190523:16490435:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/06/446223_7606_0079]
TUXIF:20190523:164904:000000.346:446223******7606/0:110:100:0:VISA->BOV:760.000:826:118875080:0/00:NP:NP:NP
27002354:20190523:16490429:TUXIF :slfdbg.c: 993:Setting file to I_DBGPANFILE fb value [/cortex/dbd/tmp/TXNS_BY_PAN/03/550129_1803_0000]
TUXIF:20190523:164904:000000.450:550129******1803/0:110:100:0:MCRD->FRT:22.800:978:118875070:0/00:NP:NP:NP
M_SEVSEC 1558626542
M_SEVUSEC 453936
M_SEVUSEC 459348
C_MSGCLS 8
C_MSGFN 1
C_TXNSRC 0
C_ACTIONCODE 8
I_SRCHOST APS
I_DSTHOST DBD
C_DATEXMIT 20190523
C_TIMEXMIT 154902
M_SEVSEC 1558626542
C_RRN 914315704534
M_SEVCODE TUXIF
M_SEVCODE TUXCLT
6161662:20190523:16490245:TUXCLT:GSM: State st_chk_msg (0.00)[0.00]
6161662:20190523:16490245:TUXCLT:xcltsm.c: 259:Looking for I_SRCHOST [APS] in hostmap
6161662:20190523:16490245:TUXCLT:xcltsm.c: 266:Host IBB not match
6161662:20190523:16490245:TUXCLT:xcltsm.c: 266:Host IDT not match
6161662:20190523:16490245:TUXCLT:xcltsm.c: 266:Host NWC not match
6161662:20190523:16490245:TUXCLT:xcltsm.c: 266:Host BOI not match
6161662:20190523:16490245:TUXCLT:xcltsm.c: 266:Host NAG not match
6161662:20190523:16490245:TUXCLT:xcltsm.c: 273:Host APS OK, afe = APS
6161662:20190523:16490245:TUXCLT:xcltsm.c: 300:I_AFE changed
6161662:20190523:164902:TUXCLT:GSM: Event ev_nmgrq
6161662:20190523:16490245:TUXCLT:GSM: State st_snd_nmg (0.00)[0.00]
6161662:20190523:16490245:TUXCLT: cocbf.c: 588:MFN_REQ -> MFN_REQRSP
6161662:20190523:16490245:TUXCLT: cocbf.c: 628:No actioncode originally
6161662:20190523:16490245:TUXCLT: cocbf.c: 652:Set action/rsp codes to 800
6161662:20190523:164902:TUXCLT:GSM: Event ev_ok
6161662:20190523:16490245:TUXCLT:GSM: State st_snd_rply (0.00)[0.00]
6161662:20190523:16490245:TUXCLT:uxifcv.c: 188:Entered conv_fb
6161662:20190523:16490245:TUXCLT:uxifcv.c: 196:Conversion table for Incoming transaction response found
6161662:20190523:16490245:TUXCLT:convcs.c: 253:I_REQ_CHARSET found
6161662:20190523:16490245:TUXCLT:convcs.c: 125:Characterset is same
6161662:20190523:16490245:TUXCLT:convcs.c: 138:No conversion is done
6161662:20190523:16490245:TUXCLT:uxifcv.c: 221:Convertion started
6161662:20190523:16490245:TUXCLT:uxifcv.c: 328:Convertion end
6161662:20190523:16490245:TUXCLT:uxifcv.c: 346:Leaving conv_fb
6161662:20190523:16490245:TUXCLT:slfdbg.c: 667:FB after second conv_fb:
C_FNCODE 831
I_REQ_CHARSET 0
C_STAN 704534
M_SEVSEC 1558626542
M_SEVUSEC 453936
M_SEVUSEC 459348
C_MSGCLS 8
C_MSGFN 0
C_TXNSRC 0
I_SRCHOST APS
I_DSTHOST DBD
C_DATEXMIT 20190523
C_TIMEXMIT 154902
M_SEVSEC 1558626542
C_RRN 914315705292
C_RSPCODE 00
M_SEVCODE TUXIF
M_SEVCODE TUXCLT
39190644:20190523:164902:TUXCLT:GSM: Event ev_ok
39190644:20190523:16490207:TUXCLT:GSM: State st_return (0.00)[0.00]
39190644:20190523:16490207:TUXCLT:xcltsm.c: 545:M_err: 0
39190644:20190523:164902:TUXCLT:GSM: event DEFAULT [0]
39190644:20190523:16490207:TUXCLT: tuxif.c: 340:TUXCLT Return: TPSUCCESS
************************* Start of Fielded Buffer Diff *************************
Diff FB's : (+)Added by svc, (-) Deleted by svc, (C) Changed by svc
(C) C_MSGFN [0] : from 0 to 1
(+) C_ACTIONCODE [0] : 8
(+) C_RSPCODE [0] : 00
*************************** ntp_return from : TUXCLT ***************************
... View more
05-23-2019
05:58 AM
1 Karma
Thanks for the response @koshyk. The data size was a bit larger than I expected, so I rean the dump command on all indexers and imported them. Seemed to do the trick. Thanks again for the suggestion though!
Commands:
Dump:
/opt/splunk/bin/splunk search 'index=my_old_idx latest="05/23/2019:11:33:55" | dump basefilename=my_old_idx.log'; find /opt/splunk/var/run/splunk/dispatch//dump/ -type f -name 'my_old_idx .log' | xargs -I {} mv {} /opt/splunk/etc/slave-apps/new_app_here
Import:
find /opt/splunk/etc/slave-apps/new_app_here/ -type f -name 'my_old_idx.log*' | xargs -I {} /opt/splunk/bin/splunk add oneshot {} -sourcetype my_new_st_here -index my_new_idx -rename-source /dir/foo/bar
... View more
05-22-2019
08:39 AM
We want to extract existing data (very little, less than a GB) from an index. Is there a best practice for running the dump command on an indexer cluster (3 nodes) for a specific index? Do I have to run this command individually on each indexer in the cluster to ensure all data in the cluster is extracted properly?
... View more
05-06-2019
07:40 AM
Trying to do a linebreak on "CIB" being passed into log. (I know, these logs are awful) Having problems breaking on the CIB expression though. Any suggestions? Splunk wants to break on OFX
SHOULD_LINEMERGE=false
LINE_BREAKER=(^(?P\w+\s+))
TZ=America/Chicago
Log Format:
CIB 2019-05-06 09:07:30,839] [THREAD: iner : 17] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines
20190506090730.831 19640191 ctaxnqidzgkzuete1557133644150B1732PK0400 ENG 426 051900395 CIB 0200 Y PROD -2b777cc0:16a8c453ac4:-2a0a 051900395 87836273 CHECKING 20190506 20190506 Y Y
20190506090730.796 13927199 wlipfswymcgvelcy1557133638179B1182PK0400 ENG 642 071901604 CIB 0200 Y PROD -12f8b87f:16a8c39e671:-e19 071901604 3332930001 CHECKING 20190506 20190506 Y Y
CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.981_5323260_zoadfefhnclstbhc1557151644827B2797PK0900 user: null is authorized
CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Inside New Parser processing
CIB 2019-05-06 09:07:30,885] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
Show all 12 lines
CIB 2019-05-06 09:07:30,723] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.981_5323260_zoadfefhnclstbhc1557151644827B2797PK0900 OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines
20190506090730.708 9866661 vfhntpuabsayykui1557133650682B1172PK0400 ENG 774 084201294 CIB 0200 Y PROD -12f8b87f:16a8c39e671:-e1b 19990101 Y Y N Y Y
20190506090730.670 11761432 zhecbsmbwliobrgk1557133646660B2948PK0400 ENG 144 111102758 CIB 0200 Y PROD -125ceb71:16a8c6053a2:-7e56 TRHST 500 111102758 261503081 CHECKING 20190410 20190506 Y
20190506090730.647 8480130 yxsidmahmlailtri1557133622247B2718PK0400 ENG 448 325081306 CIB 0200 Y PROD -125ceb71:16a8c6053a2:-7e5a ESP 20180406 20190506 2000510-1 LOAN
20190506090730.639 8964814 ooaxvqjugedktndw1557133650611B2878PK0400 ENG 092 211871691 CIB 0200 Y PROD -12f8b87f:16a8c39e671:-e1f 19990101 Y Y N Y
20190506090730.633 8437258 yqfixwpbmjyuxycs1557133650578B2585PK0400 ENG 158 071925567 CIB 0200 Y PROD 4c4e9ea8:16a8bfa5cde:-68b2 19990101 Y Y N Y
20190506090730.621 9516145 oaergmlhxnraymbb1557133647475B2893PK0400 ENG 446 096010415 CIB 0200 Y PROD -492b898c:16a8a6f9bd4:4ba5 TRHST 500 096010415 69833115 SAVINGS 20190429 20190506 Y
... View more
03-26-2019
04:53 AM
GM, through the years we have added several indexers to our cluster. we are no looking to retire a few generation 1 indexers. does anyone have a search that can do a comparison of what forwarders are/are not reporting to certain indexers in the cluster by index name? perhaps a table to display all forwarder client servers not utilizing all indexers? my fear is we retire a set of gen 1 indexers and all forwarders are not reporting into ALL indexers so users will no longer see their data.
... View more
- Tags:
- splunk-enterprise
01-10-2019
09:32 AM
got it. used list instead of values calculating the run_time and start_time fields
... View more
01-10-2019
09:15 AM
I've written a search that charts data into a table. The query extracts run times greater than 25% over its calculated average value from the past 60 days. However, when I run the search, the run_time values are not lining up with the start_time values in the raw events. I'm probably missing something very simple, but I have been looking at this for so long. I figured maybe someone could pick up what I am doing wrong pretty quickly.
The start_time and run_time values don't line up correctly with the _raw data in the events.
index=foo sourcetype=bar firm_number="24"
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 25
| stats values(duration_minutes) as run_time values(start_time) as start_time first(avg_time) as avg_time by Firm
| fields - _time
... View more
11-29-2018
05:23 PM
this seems to work. I will test some scenarios and update in the AM. Thank you both!
... View more
11-29-2018
05:20 PM
this is what will need to be sent to nullque
ERROR [WebContainer : 9] [2018-11-29 19:11:54,023] log.UatErrorLogger - 6008a93a-ceae-4ff2-a0cb-79fe6371cb4c
java.lang.NumberFormatException: empty String
at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1855)
at sun.misc.FloatingDecimal.parseFloat(FloatingDecimal.java:135)
at java.lang.Float.parseFloat(Float.java:462)
at com.metavante.uat.rulescustomization.shared.runtime.DataTypeValue. (DataTypeValue.java:60)
at com.metavante.uat.rulescustomization.shared.runtime.BaseFnRuleImpl.getDataValue(BaseFnRuleImpl.java:475)
at com.metavante.uat.rulescustomization.shared.runtime.generatedrules.AuthoredRule1325000000094104.executeRule(AuthoredRule1325000000094104.java:24)
at com.metavante.uat.rulescustomization.shared.runtime.BaseFnRuleImpl.doExecuteRule(BaseFnRuleImpl.java:73)
at com.metavante.uat.rulescustomization.shared.calcmgr.JavaCalcMgrContextImpl.performCalcs(JavaCalcMgrContextImpl.java:435)
at com.metavante.uat.rulescustomization.shared.calcmgr.JavaCalcMgrContextImpl.runAllCalcs(JavaCalcMgrContextImpl.java:205)
at com.metavante.uat.rulescustomization.shared.calcmgr.JavaCalcMgrContextImpl.runAllCalcs(JavaCalcMgrContextImpl.java:160)
at com.metavante.dx.services.common.utils.UATRulesHelper.executeRules(UATRulesHelper.java:328)
at com.metavante.dx.services.common.handlers.WorkflowRulesHandler.executeHandler(WorkflowRulesHandler.java:178)
at com.metavante.dx.services.flow.processor.SequenceProcessor.executeHandler(SequenceProcessor.java:159)
at com.metavante.dx.services.flow.processor.SequenceProcessor.executeWorkFlow(SequenceProcessor.java:125)
at com.metavante.dx.services.flow.processor.SequenceProcessor.processSequence(SequenceProcessor.java:63)
at com.metavante.eds.los.services.LOSBusinessServiceBase.execute(LOSBusinessServiceBase.java:204)
at com.metavante.eds.los.services.LOSBusinessServicesImpl.losRequestDecision(LOSBusinessServicesImpl.java:315)
at com.metavante.eds.los.services.LOSBusinessServicesImpl$$FastClassByCGLIB$$157720c2.invoke( )
at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:700)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:66)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:635)
at com.metavante.eds.los.services.LOSBusinessServicesImpl$$EnhancerByCGLIB$$658d4a42.losRequestDecision( )
at sun.reflect.GeneratedMethodAccessor745.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at com.sun.proxy.$Proxy52.losRequestDecision(Unknown Source)
at sun.reflect.GeneratedMethodAccessor745.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.codehaus.xfire.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:59)
at org.codehaus.xfire.service.binding.ServiceInvocationHandler.sendMessage(ServiceInvocationHandler.java:320)
at org.codehaus.xfire.service.binding.ServiceInvocationHandler$1.run(ServiceInvocationHandler.java:86)
at org.codehaus.xfire.service.binding.ServiceInvocationHandler.execute(ServiceInvocationHandler.java:134)
at org.codehaus.xfire.service.binding.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:109)
at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64)
at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:38)
at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:304)
at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:129)
at org.codehaus.xfire.spring.remoting.XFireServletControllerAdapter.handleRequest(XFireServletControllerAdapter.java:67)
at org.codehaus.xfire.spring.remoting.XFireExporter.handleRequest(XFireExporter.java:48)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:96)
at com.metavante.dx.filter.ContextCleaningFilter.doFilter(ContextCleaningFilter.java:57)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:969)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1109)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:963)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
or
ERROR [WebContainer : 9] [2018-11-29 19:09:38,620] log.UatErrorLogger - 4915e949-5603-460b-9b05-3dd0700d3077
java.lang.NullPointerException
at com.metavante.uat.rulescustomization.shared.calcmgr.JavaCalcMgrContextImpl.runSelectedCalcs(JavaCalcMgrContextImpl.java:108)
at com.metavante.uat.rulescustomization.shared.calcmgr.JavaCalcMgrContextImpl.runCalc(JavaCalcMgrContextImpl.java:79)
at com.metavante.dx.services.common.utils.UATRulesHelper.executeRules(UATRulesHelper.java:333)
at com.metavante.dx.services.common.handlers.StepNavOffRulesHandler.excecuteStepNavOffRules(StepNavOffRulesHandler.java:108)
at com.metavante.dx.services.common.handlers.StepNavOffRulesBaseHandler.executeHandler(StepNavOffRulesBaseHandler.java:91)
at com.metavante.dx.services.flow.processor.SequenceProcessor.executeHandler(SequenceProcessor.java:159)
at com.metavante.dx.services.flow.processor.SequenceProcessor.executeWorkFlow(SequenceProcessor.java:125)
at com.metavante.dx.services.flow.processor.SequenceProcessor.processSequence(SequenceProcessor.java:63)
at com.metavante.eds.los.services.LOSBusinessServiceBase.execute(LOSBusinessServiceBase.java:204)
at com.metavante.eds.los.services.LOSBusinessServicesImpl.losEnterApplicants(LOSBusinessServicesImpl.java:263)
at com.metavante.eds.los.services.LOSBusinessServicesImpl$$FastClassByCGLIB$$157720c2.invoke( )
at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:700)
... View more
11-29-2018
01:35 PM
I'm looking to send junk data to nullque on our heavy forwarder and I only want to key in on specific events in the raw data. I'm looking for a regex to only forward data that contains events below. I'm looking to key on the first few events, since the junk data does not contain the piped ERROR event.
So, if event contains:
"ERROR [WebContainer : 13] [2018-11-29 13:44:23,800] log.UatErrorLogger - |ERROR|"
I want to forward all event data to the indexers. Should we key on "log.UatErrorLogger - |ERROR|"?
Keep:
ERROR [WebContainer : 13] [2018-11-29 13:44:23,800] log.UatErrorLogger - |ERROR|2018-11-29 13:44:23.800 - CST|112|P112736|ERROR|||9bb9e341-bcc4-4902-832d-74c0764237e7||COMPLETED|server14.prod.localserver14||-2|SRM-44116A-MSG|Thread[WebContainer : 13,5,main]|2018-11-29 13:44:23.800 - CST||null|10.237.165.50|||IPV6|SRM|RELEASE|WAS8|BUSINESS_TIER|2.0|UNK|||||||||
... View more
08-26-2018
06:10 AM
1 Karma
this worked, thank you. @renjith.nair, please copy your suggestion into the answers section, I will so you get credit.
Here's the final result.
index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| stats first(avg_time) as Average by Firm]
| rename "2. Monday" as Monday
| rename "3. Tuesday" as Tuesday
| rename "4. Wednesday" as Wednesday
| rename "5. Thursday" as Thursday
| rename "6. Friday" as Friday
| fields - firm_name
| fillnull value="."
... View more
08-25-2018
05:29 AM
I've created a chart that only shows run times above a 60 day average and it's corresponding average, which works perfectly. However, now my users are looking to narrow these to occurrences that are 15% and higher than said average, evidently it's too difficult to look at the numbers I am already presenting. Any suggestions based on my existing search I have working?
index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| where duration_minutes > avg_time
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ search index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| stats avg(duration_minutes) as Average by firm_name]
... View more
08-23-2018
11:47 AM
1 Karma
think I may have gotten it
mysearch
| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f
... View more
08-23-2018
10:31 AM
Hello - we are looking to present daily run time values of events in a search, but only display the daily run time values that are greater than the calculated 30 day run time average.
I've tried the eventstats with a where command, but doesn't seem like where plays nice with the values command. I tried using first instead of values, but that seems to skew the daily results. any suggestions? perhaps a sub search?
our_search
| eventstats values(duration_minutes) as run_time by firm_name
| eventstats avg(duration_minutes) as avg_time by firm_name
| where run_time>avg_time
| timechart span=1d values(run_time) by firm_name
... View more
04-20-2018
11:00 AM
thanks, unfortunetly still seeing the same behavior. not breaking before "{|type" with in the json bracket.
[{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}]
[{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}]
[{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}]
[{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}{|type=HTTP Server||ruleName=Default HTTP Alert Rule||ResponseCode=200||testId=126574||testName=RAPIDReviewer - Prod||active=1||alertId=13123086||ruleExpression=Error Type is any||dateStart=2018-03-11 06:10:38||ruleId=387415||violationCount=3|}]
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-29-2020
10:23 AM
|
