Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About karthi2809
karthi2809
Builder
Member since:
12-07-2016
Online
Community Statistics
| Posts | 216 |
| Solutions | 0 |
| Karma Given | 90 |
| Karma Received | 6 |
| Member Since | 12-07-2016 |
Activity Feed
- Posted Re: How to exclude null values in mv fields? on Splunk Search. 13 hours ago
- Posted How to exclude null values in mv fields? on Splunk Search. 15 hours ago
- Karma Re: How to compare two fields values counts ? for ITWhisperer. Wednesday
- Karma Re: How to compare two fields values counts ? for Gr0und_Z3r0. Wednesday
- Posted Re: How to compare two fields values counts ? on Dashboards & Visualizations. Wednesday
- Posted Re: How to compare two fields values counts ? on Dashboards & Visualizations. Wednesday
- Posted Re: How to extract a value from fields when using stats()? on Splunk Search. Wednesday
- Karma Re: How to extract a value from fields when using stats()? for yuanliu. Wednesday
- Karma Re: How to extract a value from fields when using stats()? for scelikok. Wednesday
- Karma Re: How to compare two fields values counts ? for ITWhisperer. a week ago
- Posted Re: How to compare two fields values counts ? on Dashboards & Visualizations. a week ago
- Posted Re: How to compare two fields values counts ? on Dashboards & Visualizations. a week ago
- Posted Re: How to extract a value from fields when using stats()? on Splunk Search. a week ago
- Got Karma for Re: How to extract a value from fields when using stats()?. a week ago
- Got Karma for How to extract a value from fields when using stats()?. a week ago
- Posted Re: How to extract a value from fields when using stats()? on Splunk Search. a week ago
- Posted Re: How to extract a value from fields when using stats()? on Splunk Search. a week ago
- Posted Re: How to extract a value from fields when using stats()? on Splunk Search. 2 weeks ago
- Posted Re: How to extract a value from fields when using stats()? on Splunk Search. 2 weeks ago
- Posted How to extract a value from fields when using stats()? on Splunk Search. 2 weeks ago
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
4 weeks ago
The condition is not working for me like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", If the message value=End of GL-import flow and tracepoint values=Exception then it should be SUCCESS.Screen shot attached below index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV
(*End of GL-import flow*) OR (tracePoint="EXCEPTION") OR (priority="WARN" AND message="GLImport Job Already Running, Please wait for the job to complete*")
OR ( message="End of GL Import process - No files found for import to ISG")
| rename content.File.fstatus as Status
| eval Status=case(
like('Status' ,"SUCCESS") ,"SUCCESS",
like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS",
like('tracePoint',"EXCEPTION") AND like('priority' ,"%ERROR%"),"ERROR",
like('Status',"ERROR"),"ERROR",
like('priority',"WARN"),"WARN",
like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN",
like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "")
| stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg
values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" values(message) as message values(timestamp) as timestamp values(content.errorType) as errorType by correlationId
| eval ProcessMsg= coalesce(ProcessMsg,errorType,message)
| eventstats min(timestamp) AS Start_Time, max(timestamp) AS End_Time by correlationId
| eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval ElapsedTimeInSecs=EndTime-StartTime
| eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S")
| table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId
| join correlationId type=left
[ search index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV
(message="API: START: /v1/revpro-to-oracle/onDemand*") OR (message="API: START: /v1/fin_Zuora_GL_Revpro_JournalImport") OR (message="API: START: /v1/revproGLImport/onDemand*")
| eval JobType=case(
like('message',"API: START: /v1/revproGLImport/onDemand%"),"OnDemand",
like('message',"API: START: /v1/revpro-to-oracle/onDemand%"),"OnDemand",
like('message',"API: START: /v1/fin_Zuora_GL_Revpro_JournalImport"),"Scheduled")
| table JobType correlationId ]
| table Status JobType Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId
| fields - ElapsedTimeInSecs
| where JobType!=" "
... View more
4 weeks ago
Hi, I am using multiple case conditions but the condition is not matching. In the third line of the code used AND condition for message=*End of GL* AND tracepoint=*Exception* .If the condition match make to success.In my case its showing both SUCCESS and ERROR in the table. | eval Status=case(
like('Status' ,"%SUCCESS%") ,"SUCCESS",
like('message' ,"%End of GL-import flow%") AND like('tracePoint',"%EXCEPTION%") ,"SUCCESS",
like('tracePoint',"%EXCEPTION%") AND like('priority' ,"%ERROR%"),"ERROR",
like('Status',"%ERROR%"),"ERROR",
like('priority',"%WARN%"),"WARN",
like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN",
like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "")
... View more
4 weeks ago
Hi Guys, I am trying fetch details using stats.In this query I am trying get status from the below conditions and when i am populating in the table.The ProccesMsg has some values but in failure conditions i will add message in the result so i used coalesec to map both the result and need to populate in the table.But i cant able to populate the result.What mistake i did here. index="mulesoft" applicationName="ext" environment=DEV
(*End of GL-import flow*) OR (message="GLImport Job Already Running, Please wait for the job to complete*") OR (message="process - No files found for import to ISG") |rename content.File.fstatus as Status|eval Status=case( like('Status' ,"%SUCCESS%"),"SUCCESS",like('Status',"%ERROR%"),"ERROR",like('message',"%process - No files found for import to ISG%"), "ERROR",like('message',"GLImport Job Already Running, Please wait for the job to complete"), "WARN")
| eval ProcessMsg= coalesce(ProcessMsg,message)
|stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg
values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" by correlationId
|table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId
... View more
Labels
- Labels:
-
fields
4 weeks ago
Hi Guys, I am try to exclude field value . need to exclude message=""API:START: /v1/Journals_outbound" index="mulesoft" applicationName="ext" environment=DEV (message="API: START: /v1/Journals_outbound")
OR (message="API: START: /v1/revpro-to-oracle/onDemand") OR (message="API: START: /v1/fin_Zuora_GL_Revpro_JournalImport")
OR (message="API: START: /v1/revproGLImport/onDemand*") | search NOT message IN ("API: START: /v1/Journals_outbound")
... View more
Labels
- Labels:
-
fields
4 weeks ago
Hi Guys, Thanks in Advance. I am using transaction command to fetch unique correlationId and i have multiple conditions to be match.below is my query .I am getting result.But not in proper way index="mulesoft" (message="API: START: /v1/fin_outbound") OR
(message="API: START: /v1/onDemand") OR (message="API: START: /v1/fin_Import") OR (message="API: START: /v1/onDemand") OR (*End of GL-import flow*) OR (tracePoint="EXCEPTION") OR (priority="WARN" AND *GLImport Job Already Running, Please wait for the job to complete*) OR (*End of GL Import process - No files found for import to ISG*) |transaction correlationId | search NOT message IN ("API: START: /v1/fin_Zuora_GL_Revpro_Journals_outbound")|rename content.File.fid as "TransferBatch/OnDemand" content.File.fname as "BatchName/FileName" content.File.fprocess_message as ProcessMsg content.File.fstatus as Status content.File.isg_file_batch_id as OracleBatchID content.File.total_rec_count as "Total Record Count"|eventstats min(timestamp) AS Start_Time, max(timestamp) AS End_Time by correlationId| eval JobType=case(like('message',"%API: START: /v1/onDemand%"),"OnDemand",like('message',"%API: START: /v1/onDemand%"),"OnDemand",like('message',"API: START: /v1/fin_Import"),"Scheduled")| eval Status=case(like('Status' ,"%SUCCESS%"),"SUCCESS", like('Status',"%ERROR%"),"ERROR",like('tracePoint',"%EXCEPTION%"),"ERROR",like('priority',"%WARN%"),"WARN",like('message',"%End of GL Import process - No files found for import to ISG%"),"ERROR")| eval ProcessMsg= coalesce(ProcessMsg,message)
| eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval ElapsedTimeInSecs=EndTime-StartTime
| eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S")
|rename Logon_Time as Timestamp
|table Status Start_Time JobType "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId|fields - ElapsedTimeInSecs | search Status="*" Screen shot added in that i want to show only yellow marked values
... View more
Labels
- Labels:
-
other
a month ago
Thanks in Advance . I need to show status If the P_RETURN_STATUS is success then it SUCCESS,IF error then ERROR ,IF P_RETURN_STATUS is error and P_MESSAGE is NO NEW BATCH EXISTS as SUCCESS .But already the P_RETURN_STATUS having values as error .How to override when using AND condition | eval P_RETURN_STATUS=case(like('P_RETURN_STATUS' ,"%SUCCESS%"),"SUCCESS", like('P_RETURN_STATUS',"%ERROR%"),"ERROR",like('P_MESSAGE',"%NO NEW BATCH EXISTS%") AND like('P_RETURN_STATUS',"%ERROR%"),"SUCCESS")
... View more
Labels
- Labels:
-
fields
a month ago
Thanks I am trying to extract three fields in below given message "message" : "BatchId : 7, RequestId : 100532188, Msg : Batch status to be update to SUCCESS", Extract : BatchId ,RequestId ,Status need to extract SUCCESS . | rex "BatchId\s*:\s*(?<batch>[^,]+),\s*RequestId\s:\s*(?<RequestID>[^,]+),\s*Msg : Batch status to be update to (?<Status>\w+)"
... View more
- Tags:
- json
a month ago
Thanks you made my day.I need to show in the dashbaord table how to use table after stats and i am getting warning message 'list' command: Limit of '100' for values reached. Additional values may have been truncated or ignored. And your mind-reading one and three is working as expected result and i have a queries that my content list have 134 batch_ID .But the splunk extracted and shows 26 counts, rest of the things are not showing .how can i handle this.I need to fix that issue.Will this need to be extract from props and transform.conf file while indexing the data.Please help me to fix it.
... View more
03-15-2024
05:01 PM
Hi @yuanliu I attached with correlationId .So if we extract the result the result go beyond pagination in the table as well right. {
"correlationId" : "490cfba0e9f3c770b40",
"message" : "Processed all revenueData",
"tracePoint" : "FLOW",
"priority" : "INFO",
"category" : "prc-api",
"elapsed" : 472,
"locationInfo" : {
"lineInFile" : "205",
"component" : "json-logger:logger",
"fileName" : "G.xml",
"rootContainer" : "syncFlow"
},
"timestamp" : "2024-03-06T20:57:17.119Z",
"content" : {
"List of Batches Processed" : [ {
"P_REQUEST_ID" : "1005377",
"P_BATCH_ID" : "1",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "MAR-24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_FILE_NAME" : "Template20240306102852.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "1005177",
"P_BATCH_ID" : "2",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "MAR-24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_FILE_NAME" : "Template20240306102959.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "1005377",
"P_BATCH_ID" : "3",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "MAR-24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "Template20240306103103.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "1005377",
"P_BATCH_ID" : "4",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "MAR-24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "Template20240306103205.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "1005377",
"P_BATCH_ID" : "5",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "MAR-24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_FILE_NAME" : "Template20240306103306.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "100532177",
"P_BATCH_ID" : "6",
"P_TEMPLATE" : "ATVI_Transaction_Template",
"P_PERIOD" : "MAR-24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "rev_ATVI_Transaction_Template20240306103407.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}
... View more
03-15-2024
09:49 AM
Hello to all,
I have a multivalue field with a content.errormsg with values and also with a null value. If the null value in the fields it will not showing any results in the output example:
errormsg
closed connection
Empty String
null
needed result:
errormsg
closed connection
Empty String
... View more
Labels
- Labels:
-
fields
03-15-2024
03:20 AM
The value which we are seeing it is in single corellationId.so i want to display like correlationID BatchId RequestID Status 125dfe5 1 2 3 117 112| 1156 Success Success Success 32435sf53 1 2 324 536 643 Success Success
... View more
03-14-2024
08:40 PM
Thanks in Advance.
1.I have a json object as "content.List of Batches Processed{}" and Already splunk extract field as "content.List of Batches Processed{}.BatchID" and count it showing as 26 .But in the "content.List of Batches Processed{}.BatchID" we have 134 records. So i want to extract the multiple JSON values as field.From below logs i want to extract all the values from P_REQUEST_ID,P_BATCH_ID,P_TEMPLATE
Query i tried to fetch the data
| eval BatchID=spath("content.List of Batches Processed{}*", "content.List of Batches Processed{}.P_BATCH_ID"),Request=spath(_raw, "content.List of Batches Processed{}.P_REQUEST_ID")|table BatchID Request
"content" : {
"List of Batches Processed" : [ {
"P_REQUEST_ID" : "177",
"P_BATCH_ID" : "1",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "Template20240306102852.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "1r7",
"P_BATCH_ID" : "2",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "Template20240306102852.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "1577",
"P_BATCH_ID" : "3",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "Template20240306102852.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}, {
"P_REQUEST_ID" : "16577",
"P_BATCH_ID" : "4",
"P_TEMPLATE" : "Template",
"P_PERIOD" : "24",
"P_MORE_BATCHES_EXISTS" : "Y",
"P_ZUORA_FILE_NAME" : "Template20240306102852.csv",
"P_MESSAGE" : "Data loaded in RevPro Successfully - Success: 10000 Failed: 0",
"P_RETURN_STATUS" : "SUCCESS"
}
.
... View more
Labels
- Labels:
-
field extraction
-
fields
03-14-2024
07:35 AM
Hi Guys, In this case statement i am getting jobType values but i am not getting Status value. I already mentioned the keyword above in the query But why i am not getting . index="mulesoft" applicationName="s-concur-api" environment=DEV timestamp ("onDemand Flow for concur Expense Report file with FileID Started" OR "Exchange Rates Scheduler process started" OR "Exchange Rates Process Completed. File successfully sent to Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName
| eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"),"OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown")| eval Status=case(like('message',"Exchange Rates Process Completed. File sucessfully sent to Concur"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR") |table JobType Status
... View more
Labels
- Labels:
-
alert condition
03-13-2024
04:10 AM
How to extract the two fields from the message ? In this need to extract after API: START: /v1/expense/extract/demand/ nagl as one field . demand _con.csv in another field I am extracting |rex field=message max_match=0 "API: START: /v1/expense/extract/odemand/ (?<OnDemandFileName>[^\n]\w+\S+)" API: START: /v1/expense/extract/demand/nagl/demand_con.csv
... View more
Labels
- Labels:
-
field extraction
-
fields
03-12-2024
05:39 AM
Hi @richgalloway As you mentioned match condition in case statement.let me share the query.If i use match i am not getting the Status field index="mule" applicationName="api" environment=DEV timestamp (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName
| eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"),"OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown")
| eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS",match('message',"%(TEST|DEV|PRD)(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")
|eventstats min(Timestamp) AS Start_Time, max(Timestamp) AS End_Time by CorrelationId
| eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval ElapsedTimeInSecs=EndTime-StartTime
| eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S")
|rename Start_Time as Timestamp
| table Status JobType ElapsedTimeInSecs "Total Elapsed Time" Timestamp CorrelationId message TargetFileName
... View more
03-11-2024
04:20 AM
Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on clicking on the tab. #input_link_split_by.input-link button{
width: 120px !important;
border-top-color: rgb(255, 255, 255);
border-top-style: solid;
border-top-width: 1px;
border-right-color: rgb(255, 255, 255);
border-right-style: solid;
border-right-width: 1px;
border-left-color: rgb(255, 255, 255);
border-left-style: solid;
border-left-width: 1px;
border-top-left-radius: 10px;
border-top-right-radius: 10px;
}
... View more
Labels
- Labels:
-
Classic dashboard
-
CSS
-
javascript
03-11-2024
03:42 AM
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match the conditions with message field.For the all three environment the message would be same but the environment name only differe.I added all the three in case. So how can we use wildcard in the case statement or any other different solutions to shorten the query. (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"), "OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", like('message',"%TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")
... View more
Labels
- Labels:
-
other
-
transaction
03-06-2024
07:34 AM
Thanks in Advance. 1.I have a json object as content.payload{} and need to extract the values inside the payload.Already splunk extract field as content.payload{} and the result as AP Import flow related results : Extract has no AP records to Import into Oracle". But I want to extract all the details inside the content.payload. How can extract from splunk query or from props.conf file.I tried spath but cant able to get it. 2.How to rename wildcard value of content.payload{}* ? "content" : {
"jobName" : "AP2",
"region" : "NA",
"payload" : [ {
"GL Import flow processing results" : [ {
"concurBatchId" : "4",
"batchId" : "6",
"count" : "50",
"impConReqId" : "1",
"errorMessage" : null,
"filename" : "CONCUR_GL.csv"
} ]
}, "AP Import flow related results : Extract has no AP records to Import into Oracle" ]
},
... View more
Labels
- Labels:
-
eval
-
field extraction
-
fields
03-04-2024
09:34 AM
Yes i tried but in my case need to extract whole content.payload as one field.
... View more
03-04-2024
04:15 AM
Hi , How to extract the fields from below json logs. Here we have fields like content.jobname and content.region .But i need to extract content.payload details.how to extract the value. "content" : {
"jobName" : "PAY",
"region" : "NZ",
"payload" : [ {
"Aresults" : [ {
"count" : "6",
"errorMessage" : null,
"filename" : "9550044.csv"
} ]
}, {
"Bresults" : [ {
"count" : "6",
"errorMessage" : null,
"filename" : "9550044.csv"
} ]
} ]
}
... View more
Labels
- Labels:
-
field extraction
02-27-2024
02:04 AM
Thanks in Advance. In my scenario i want to club the the result using correlationID .so i used transaction command .Below query have multiple conditions are checking from same field called message.So i want to exclude some of the search string in this.So after the transaction i tried to exclude the search string but i am not getting the result. index="mulesoft" applicationName="concur" environment=DEV
("Concur Ondemand Started*") OR (message="Expense Extract Process started for jobName :*") OR ("Before Calling flow archive-Concur*") OR (message="Concur AP/GL File/s Process Status*") OR (message="Records Count Validation Passed*") OR (message="API: START: /v1/expense/extract/ondemand*" OR message="API: START: /v1/fin*") OR (message="Post - Expense Extract processing to Oracle*") | transaction correlationId| search NOT ("*Failed Processing Concur*")| rename content.SourceFileName as SourceFileName content.JobName as JobName content.loggerPayload.archiveFileName AS ArchivedFileName content.payload{} as Response content.Region as Region content.ConcurRunId as ConcurRunId content.HeaderCount as HeaderCount content.SourceFileDTLCount
as SourceFileDTLCount content.APRecordsCountStaged
as APRecordsCountStaged content.GLRecordsCountStaged
as GLRecordsCountStaged
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)| eval JobType=case(like('message',"%Concur Ondemand Started%"),"OnDemand",like('message',"Expense Extract Process started%"),"Scheduled", true() , "Unknown")| eval Status=case(like('message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('message',"%EXCEPTION%"),"ERROR")
|table correlationId "FileName/JobName" Status ArchivedFileName JobType Response Region ConcurRunId HeaderCount SourceFileDTLCount APRecordsCountStaged GLRecordsCountStaged
... View more
Labels
- Labels:
-
eval
-
fields
-
join
-
subsearch
-
transaction
02-26-2024
05:13 AM
Hi @gcusello @ Splunk dashboard performance Issue Let me explain my requirement properly. I have message field and i need to extract multiple values from message fileds .for that is used multiple joins so its dashboard taking time to load fast. So as you mention in the answer use stats command .I tried to used stats but i cant able to get it in table . In real time senario: I am giving field with keywords Three are two jobtype xxx and yyy Message : "concur ondemand" and "expense" --- Started Successfuly. Message : "Error " ---Error Message : Progress completed ------ completed and we have unique correlationID.Based on correlation ID we need find out the result. I will copy paste that you suggested to using stats but i am not well in that can you please help to fix the issue. index="xxx" applicationName="api" environment=DEV timestamp correlationId tracePoint message ("Concur Ondemand Started*") OR (message="Expense Extract Process started for jobName : AP/GL Extract V.3.0*") OR (trace=ERROR) OR ("Before Calling flow archive-Concur*") OR (message="Concur AP/GL File/s Process Status*")|dedup correlationId
| rename content.SourceFileName as SourceFileName content.JobName as JobName
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)
| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint message as Message
| eval JobType=case(like('Message',"%Concur Ondemand Started%"), "OnDemand", like('Message',"%Expense Extract Process started for jobName : *%"), "Scheduled")
| eval Message=trim(Message,"\"")
| rename correlationId as CorrelationId tracePoint as TracePoint message as Message
| rename content.loggerPayload.archiveFileName AS ArchivedFileName
| eval Status=case(like('Message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('TracePoint',"%EXCEPTION%"),"ERROR")
| eval Response= coalesce(Response,Message)
| eval Status=if(TracePoint="ERROR","ERROR",Status)
| join CorrelationId type=left
[ search index="xxx" applicationName="api" | stats
earliest(timestamp) AS Timestamp
values(TracePoint) AS TracePoint
values(Response) AS Response
values(JobType) AS JobType
values(Status) AS Status
values("FileName/JobName") AS "FileName/JobName"
values(Message) AS Message
BY CorrelationId] Status FileName/JobNam JobType ArchivedFileName CorrelationId Timestamp SUCCESS karthi xxx test1 2essrfsf4dgs SUCCESS priya yyy test2 46dsfh68
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
15 hours ago
|
Karma from
| User | Karma Count |
|---|---|
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
