Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About karthi2809
karthi2809
Builder
Member since:
12-07-2016
a week ago
Community Statistics
| Posts | 294 |
| Solutions | 0 |
| Karma Given | 116 |
| Karma Received | 6 |
| Member Since | 12-07-2016 |
Activity Feed
- Posted How to rename dynamic fields ? on Splunk Search. a week ago
- Posted Re: How to filter comma separate keywords in splunk dashboard using text box? on Splunk Search. 12-09-2024 03:54 AM
- Posted How to filter comma separate keywords in splunk dashboard using text box? on Splunk Search. 12-06-2024 05:51 AM
- Posted Re: How to filter events using text box values? on Splunk Search. 11-29-2024 03:34 AM
- Posted Re: How to filter events using text box values? on Splunk Search. 11-19-2024 03:58 AM
- Posted Re: How to filter events using text box values? on Splunk Search. 11-19-2024 12:58 AM
- Posted How to filter events using text box values? on Splunk Search. 11-19-2024 12:29 AM
- Tagged How to filter events using text box values? on Splunk Search. 11-19-2024 12:29 AM
- Karma Re: How to extract fields from source? for gcusello. 10-25-2024 03:28 AM
- Karma Re: How to extract fields from source? for Jawahir. 10-25-2024 03:28 AM
- Posted How to extract fields from source? on Splunk Search. 10-25-2024 02:33 AM
- Posted How to change UST timezone to PST time? on Dashboards & Visualizations. 09-30-2024 07:54 AM
- Posted Anypoint studio to splunk logs missing? on Getting Data In. 06-26-2024 06:04 AM
- Posted Re: Collecting server logs without installing Splunk UF? on Getting Data In. 06-19-2024 04:41 AM
- Karma Re: Collecting server logs without installing Splunk UF? for gcusello. 06-14-2024 06:52 AM
- Posted Collecting server logs without installing Splunk UF? on Getting Data In. 06-14-2024 03:04 AM
- Posted Re: Link url in splunk dashboard? on Splunk Dev. 06-05-2024 06:34 AM
- Posted Re: How to filter multivalue null values? on Splunk Search. 06-03-2024 08:08 AM
- Karma Re: How to filter multivalue null values? for bowesmana. 06-03-2024 08:07 AM
- Posted Re: How to filter multivalue null values? on Splunk Search. 05-31-2024 04:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-23-2024
06:24 PM
Yes i am used the below drilldown. Instead of full url in column want to use Click here name.
... View more
05-23-2024
09:18 AM
Hi All, In the table i have URL .So if i am clicking on the URL it will redirect existing dashboard. Now i want to show only click here .If i click then existing dashboard is to be open. Instead URL value i need click here and to open the URL This is my table Name Interface Link DSR1 DSR1 www.google.com DSR2 DSR2 www.splunk.com
... View more
Labels
- Labels:
-
simple XML
05-22-2024
11:25 PM
Hi @gcusello Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map the URL.
... View more
05-22-2024
07:43 AM
Yes i copy pasted the same payLoadInterface into csv file.But i dont know why is not coming .And how to check the values from lookup file is getting populated The values like DSR_TEST,DSR_TEST1,DSR_TEST2
... View more
05-22-2024
07:25 AM
Hi @gcusello This my lookup InterfaceName Link DSR_TEST https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup?_gl=1*1w7wkaf*_ga*MTYzMTg2Njc5NC4xNzExOTgxMTg4*_ga_GS7YF8S63Y*MTcxNjM4NTE1Ni41OS4xLjE3MTYzODYxMDMuNTYuMC4w*_ga_5EPM2P39FV*MTcxNjM4NTE1Ni4xNTcuMS4xNzE2Mzg2MTAzLjAuMC4zMjM3MzE2MTE.&_ga=2.25230836.839088300.1716203378-1631866794.1711981188 DSR_TEST1 https://community.splunk.com/t5/Splunk-Search/How-to-Combine-search-query-with-a-lookup-file-with-one-common/td-p/296885?sort=votes DSR_TEST2 https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Gauge
... View more
05-22-2024
07:01 AM
Hi @gcusello 1.Still i am not able to get Link values in the table . 2. Then the condition Status LIKE (,"%") is wrong, what do you want to check?. --->checking for Status as *
... View more
05-22-2024
05:57 AM
Hi @gcusello yes i have another field as interfacename is given below and in my lookup file i have same name as Interfacename . But i dont know to map values using append. values(content.payload.InterfaceName) as InterfaceName
... View more
05-22-2024
03:51 AM
Hi @gcusello In lookup file i have two fields one is interface name another one is link based on interface name we can map Right.
... View more
05-22-2024
01:35 AM
Hi @gcusello Need to map based on interface name with link
... View more
05-21-2024
10:16 AM
Hi @gcusello This the query which i am trying to map Interfacename and link .So i appended the inputlookup with base query .In base query also i have interface name.So i am trying to map the values.But the link is not populating in the table. index="mulesoft" environment=PRD
| rename content.payload.Status as Status
| append [ inputlookup link.csv | table Link InterfaceName]
| stats values(content.payload.InterfaceName) as payLoadInterface values(content.payload.ErrorMessage) as ErrorMsg earliest(timestamp) as Timestamp values(priority) as Priority values(tracePoint) as Tracepoint values(Link) as Link values(InterfaceName) as Interface by correlationId
| eval names = if ( isnull ( mvfind ( message, "DISABLED" ) ), null, message )
| eval Response= coalesce(SuccessResponse,Successresponse,msg,names,ErrorMsg)
| eval InterfaceName= coalesce(Interface,payLoadInterface)
| table Status Timestamp InterfaceName Link Response correlationId message Priority Tracepoint|fields - message Tracepoint Priority|search InterfaceName="*" | where Status LIKE ("%")|sort -Timestamp
... View more
05-20-2024
05:48 AM
Hi All, How to map splunk dashboard link based on the values on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard Ex: Name link abc click here bbc click here ccd clik here
... View more
05-13-2024
04:42 PM
Hi @yuanliu Thanks, how can we club the both into one to show count based on the two conditions
... View more
05-13-2024
07:00 AM
Hi All, Below query to get stats sum of field values of latest correlationId. need to show in pie chart. But i am getting values as other.PFA screenshot index="mulesoft" *Upcoming Executions* content.scheduleDetails.lastRunTime="*"
[search index="mulesoft" *Upcoming Executions* environment=DEV | stats latest(correlationId) as correlationId | table correlationId|format]|rename content.scheduleDetails.lastRunTime as LastRunTimeCount | stats count(eval(LastRunTimeCount!="NA")) as LastRunTime_Count count(eval(LastRunTimeCount=="NA")) as NA_Count by correlationId| stats sum(LastRunTime_Count) as LastRunTime_Count,sum(NA_Count) as NA_Count
... View more
05-09-2024
04:57 PM
If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
... View more
05-09-2024
10:28 AM
Based on priority field and tracepoint field i am getting the status field.If priority is error and tracepoint as exception then i set status as per the keyword.But in some case its showing both ERROR and SUCCESS. Message priority tracepoint After Common SFTP Get File List Response INFO AFTER_REQUEST After Common SFTP Get File List Response INFO AFTER_REQUEST Before Common SFTP Get File Data Request INFO BEFORE_REQUEST Before Common SFTP Get File List Request INFO BEFORE_REQUEST Before Common SFTP Archive File Request INFO BEFORE_REQUEST File Upload Request for BEFORE_REQUEST INFO BEFORE_REQUEST File Upload to in SFTP mode. >>> END INFO END END File Upload Request for f ERROR EXCEPTION Error while trying to upload file to GCP from Common SFTP ERROR EXCEPTION DEV(ERROR): Error while processing System request INFO BEFORE_REQUEST
... View more
05-09-2024
10:12 AM
If i use some of the transactionID is error but some of its showing as Success.If the priority=error and exception="error" but the status is SUCCESS.I dont know y.
... View more
05-09-2024
09:37 AM
Hi All,
This the query which i try to get status.But in the table its shows both error and success.PFA screenshot
| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId
... View more
05-09-2024
05:22 AM
Hi All, I have a field in my data called 'message' ,which contain information about status of the field.I'd like categorizes files either success or failure files based on content of the field.For example the message contain multiple values like(success,processed,completed) then i want to label the corresponding file as success,if it contains like(failed,failure) i want to label as failure file.How to implement this using SPL query.Below query i tried but i am not getting properly. index=mulesoft environment=DEV applicationName="Test"
|stats values(content.FileName) as Filename1 values(content.ErrorMsg) as errormsg values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId
| eval SuccessFileName=case(match(message, "File put Succesfully*|Successfully created file data*|Archive file processed successfully*|Summary of all Batch*|processed successfully for file name*|SUCCESS") AND not match(priority,"ERROR|WARN"),FileName1,1=1,null())
| eval FailureFileName=case(match(message,"Failed to process file:"),FileName1,1=1,null()) |table SuccessFileName FailureFileName Response correlationId
... View more
Labels
- Labels:
-
stats
05-08-2024
06:09 AM
Hi @PickleRick As i tried by condition .So its showing as by the correlationId.But i want to show the count of lastRunTime field count.If i use lastRunTime the chart will show all the counts.But i need to club all the values into one.Below the query and i need to show values as LastRunTimeCount - 79 in the pie chart content..lastRunTime="*" content.lastRunTime!="NA"
[search index="Test" applicationName="scheduler" content.lastRunTime="*" content.lastRunTime!="NA" | stats latest(correlationId) as correlationId | table correlationId|format]|rename content.lastRunTime as LastRunTimeCount | stats Count(LastRunTimeCount) as total by correlationId
... View more
05-06-2024
09:12 AM
Hi @isoutamo If i use | stats Count i am getting value .But i want to show in pie chart. So i checked in the visualization it showing as no result.
... View more
05-06-2024
08:40 AM
Hi All,
How to count field values.The field extracted and showing 55 .When i use below query:
| stats count by content.scheduleDetails.lastRunTime
it will give all the values with counts
| stats dc(content.scheduleDetails.lastRunTime) AS lastRunTime
its showing 55 counts. my output as:
content.scheduleDetails.lastRunTime
Count
02/FEB/2024 08:22:19 AM
9
02/FEB/2024 08:21:19 AM
63
03/FEB/2024 08:22:19 AM
7
Expected output as only total count of the field:
79
... View more
05-03-2024
08:46 AM
Hi @ITWhisperer First time its coming when i am trying to refresh the same query i am not find any values Query which i am trying:
index="mulesoft" applicationName="scheduler" environment=DEV message="Upcoming Executions for Scheduler :*" [search index="mulesoft" applicationName="
scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus
If i use the query in seperate search its showing the latest correlation values:
message="Upcoming Executions for Scheduler :*" environment=DEV | stats latest(correlationId) as correlationId | table correlationId
... View more
05-03-2024
08:16 AM
Sorry its not working .Sometimes the values coming but sometimes its not showing any values .
... View more
05-03-2024
06:23 AM
Got it thanks its working and latest correlationId .What time frequency the correlationId change.
... View more
05-03-2024
06:15 AM
Just i want to show the latest correlationId and in your query its showing multiple correlationID and i just want show the count of enabled and disabled in pie chart.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma from
| User | Karma Count |
|---|---|
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Karma given to
