Hi All, I have two set of logs in two different sources in splunk, one containing the predefined list of VPNs and Queues and the other containing list of VPNs and Queues where activity is done. Now I have to compare the list of the 2nd set with the 1st set and create a table. Set 1: log:  10.96.195.70/SEMP/v2/monitor/msgVpns/CPGC_S_SIT/queues/gcg.apac.eventcloud.publish.hk.twa/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/EHEM_S_SIT/queues/gcg.emea.eventcloud.publish.ae.cops/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/EHEM_S_SIT/queues/gcg.emea.eventcloud.publish.ae.sendprioritycommandretrycomm/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/EHEM_S_SIT/queues/gcg.emea.eventcloud.publish.ae.triggerbatchtocommhub/txFlows 10.96.195.70/SEMP/v2/monitor/msgVpns/ALERTSGC_S_SIT/queues/gcg.ap.cop_163124.card.lightning.eas.queue So I created the below query to get the VPN & Queue: *** | source="*/sit_solace_updated.txt" | rex field=_raw max_match=0 "msgVpns\/(?P<VPN_Name>[^\/]+)\/queues\/(?P<Queue_Name>[^\/]+)\/" | table VPN_Name,Queue_Name | eval row=mvrange(0,mvcount(VPN_Name)) | mvexpand row | foreach *_* [| eval <<FIELD>>=mvindex(<<FIELD>>,row)] | fields - row Set 2: log1:  "activationTime":1652444666, "clientName":"source.solace.emea.ae.custmgt.cops.cops.raw.int.rawevent-05d1d1b@gtgcb-csrla01s.nam.nsroot.net/59133/#00a00005/VIzOONZsrL", "msgVpnName":"EHEM_S_SIT", "queueName":"gcg.emea.eventcloud.publish.ae.cops", log2: "activationTime":1650620233, "clientName":"BW-ALERTS_JMS_CONN-queue-ALERTSServices-1-1-AlertServices_ALERTSServices_a37s_01", "msgVpnName":"ALERTSGC_S_SIT", "queueName":"gcg.ap.cop_163124.card.lightning.eas.queue", And here I used the below query to create a table: *** | source="*/final_sol_queue.txt" | rex field=_raw "Time\"\:(?P<Act_Time>[^\,]+)\," | rex field=_raw "clientName\"\:\"(?P<Client_Name>[^\"]+)\"\," | rex field=_raw "VpnName\"\:\"(?P<VPN_Name>[^\"]+)\"\," | rex field=_raw "queueName\"\:\"(?P<Queue_Name>[^\"]+)\"\," | eval Activation_Time=strftime(Act_Time,"%a, %d %b %Y %H:%M:%S") | table Activation_Time,Client_Name,VPN_Name,Queue_Name | dedup Activation_Time,Client_Name,VPN_Name,Queue_Name it gave the below table: Activation_Time Client_Name VPN_Name Queue_Name Fri, 22 Apr 2022 15:28:39 BW-ALERTS_JMS_CONN-queue-ALERTSServices-1-1-AlertServices_ALERTSServices_a37s_01 ALERTSGC_S_SIT gcg.ap.cop_163124.card.lightning.eas.queue Fri, 13 May 2022 17:54:26 source.solace.emea.ae.custmgt.cops.cops.raw.int.rawevent-05d1d1b@gtgcb-csrla01s.nam.nsroot.net/59133/#00a00005/VIzOONZsrL EHEM_S_SIT gcg.emea.eventcloud.publish.ae.cops However, I want to create a table that contains the missing VPNs & Queues also from set1 as below: Activation_Time Client_Name VPN_Name Queue_Name Fri, 22 Apr 2022 15:28:39 BW-ALERTS_JMS_CONN-queue-ALERTSServices-1-1-AlertServices_ALERTSServices_a37s_01 ALERTSGC_S_SIT gcg.ap.cop_163124.card.lightning.eas.queue Fri, 13 May 2022 17:54:26 source.solace.emea.ae.custmgt.cops.cops.raw.int.rawevent-05d1d1b@gtgcb-csrla01s.nam.nsroot.net/59133/#00a00005/VIzOONZsrL EHEM_S_SIT gcg.emea.eventcloud.publish.ae.cops Not_Available Not_Available EHEM_S_SIT gcg.emea.eventcloud.publish.ae.triggerbatchtocommhub Not_Available Not_Available EHEM_S_SIT gcg.emea.eventcloud.publish.ae.sendprioritycommandretrycomm Not_Available Not_Available CPGC_S_SIT gcg.apac.eventcloud.publish.hk.twa   Please help to modify the query in a way that it compares set1 and set2 for the VPN & Queue values and produce the table in the above manner. Thank you All..!! ... View more

Hi All, I am trying to create a table out of the log below: log: ServerA ServerB ServerC ADFILES41-6.2-4 not_available ADFILES41-6.2-4.2 ADM41-5.10.1-4 ADM41-5.10.1-4 ADM41-5.10.1-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM42-5.11-4 ADM42-5.11-4 ADM42-5.11-4 ADM42HF-5.11HF03-4 ADM42HF-5.11HF03-4 not_available TRA42-5.11-4 TRA42-5.11-4 not_available not_available ADFILES42-6.2-4 not_available not_available not_available TRA42-5.13-4 Here you can see that the 1st line gives the server names. 2nd, 3rd,4th and so on lines are applications available in the server. For eg. From 2nd line you can see that the application ADFILES41-6.2-4 is available in A&C but not in B. Similarly from 9th line you can see that the application TRA42-5.13-4 is available in C but not in A&B. So the requirement is to create a table in the below way to show if any servers is missing any application. Server ServerA ServerB ServerC Application ADFILES41-6.2-4 not_available ADFILES41-6.2-4 Application ADM41-5.10.1-4 ADM41-5.10.1-4 ADM41-5.10.1-4 Application ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 Application ADM42-5.11-4 ADM42-5.11-4 ADM42-5.11-4 Application ADM42HF-5.11HF03-4 ADM42HF-5.11HF03-4 not_available Application TRA42-5.11-4 TRA42-5.11-4 not_available Application not_available ADFILES42-6.2-4 not_available Application not_available not_available TRA42-5.13-4   Please help me to create a query to get the table in the desired manner. Any help on the problem would be highly appreciated. Thank you All..!! ... View more

Hi All, I have logs like below in splunk. log1: "count":1, log2: gcg.gom.esb_159515.rg.APIMediation.Disp1.3.Rs.APIM3 log3: "count":1, log4: gcg.gom.esb_159515.rg.APIMediation.Disp1.3.Rs.APIM2 log5: "count":1, log6: gcg.gom.esb_159515.rg.APIMediation.Disp1.3.Rs.APIM1 I used the below query to create a table showing the "Queue" and the "Consumer count": ***** | rex field=_raw "Rs\.(?P<Queue>\w+)" | rex field=_raw "count\"\:(?P<Consumer_Count>\d+)\," | table Queue,Consumer_Count But this query gives the table in the below manner: Queue Consumer_Count   1 APIM3     1 APIM2     1 APIM1   I want the rows to be combined in the below manner: Queue Consumer_Count APIM3 1 APIM2 1 APIM1 1   Please help to modify the query to get the desired output. Thank you..!! ... View more

Hi All, I  have below logs in one event: AMQ8450I: Display queue status details. QUEUE(ECS.AU.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(00.28.06) LPUTTIME(00.28.06) AMQ8450I: Display queue status details. QUEUE(ECS.HK.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.32.35) LPUTTIME(01.32.35) AMQ8450I: Display queue status details. QUEUE(ECS.ID.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.26.46) LPUTTIME(01.26.46) AMQ8450I: Display queue status details. QUEUE(ECS.MY.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.38.02) LPUTTIME(01.38.02) AMQ8450I: Display queue status details. QUEUE(ECS.PH.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(23.12.07) LPUTTIME(23.12.07) AMQ8450I: Display queue status details. QUEUE(ECS.SG.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.39.26) LPUTTIME(01.39.26) AMQ8450I: Display queue status details. QUEUE(ECS.TH.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(01.28.20) LPUTTIME(01.28.20) AMQ8450I: Display queue status details. QUEUE(ECS.VN.TO_KAFKA_RES.LISTEN) TYPE(QUEUE) CURDEPTH(0) LGETTIME(21.47.43) LPUTTIME(21.47.43) I tried to create a table out of the data using the query: *** | rex field=_raw max_match=0 "QUEUE\((?P<Queue_Name>[^\)]+)\)" | rex field=_raw max_match=0 "CURDEPTH\((?P<Cur_Depth>[^\)]+)\)" | rex field=_raw max_match=0 "LGETTIME\((?P<Get_Time>[^\)]+)\)" | rex field=_raw max_match=0 "LPUTTIME\((?P<Put_Time>[^\)]+)\)" | table Queue_Name,Cur_Depth,Get_Time,Put_Time But the table comes out as below: Queue_Name Cur_Depth Get_Time Put_Time ECS.AU.TO_KAFKA_RES.LISTEN ECS.HK.TO_KAFKA_RES.LISTEN ECS.ID.TO_KAFKA_RES.LISTEN ECS.MY.TO_KAFKA_RES.LISTEN ECS.PH.TO_KAFKA_RES.LISTEN ECS.SG.TO_KAFKA_RES.LISTEN ECS.TH.TO_KAFKA_RES.LISTEN ECS.VN.TO_KAFKA_RES.LISTEN 0 0 0 0 0 0 0 0 00.28.06 01.32.35 01.26.46 01.38.02 23.12.07 01.39.26 01.28.20 21.47.43 00.28.06 01.32.35 01.26.46 01.38.02 23.12.07 01.39.26 01.28.20 21.47.43 The problem here is that all the data is coming up in one row only. I tried "mvexpand" command to split up in individual rows but failed to do so. Please help to modify the query to make the output table come as one row per line. Thank All..!! ... View more

Hi All, I want to understand if there is a way to perform an action to the server through Splunk. For e.g. to run ls -lrt command for a path to kill/terminate a process to run a script on the server etc. Your kind help will be highly appreciated. Thank you..!! ... View more

I have created a table as below  using the query  index=xyz | stats count(Status) as Total by Transaction,Status Transaction Status count(Status) A 200 OK 45 A 400 Bad Request 20 B 200 OK 110 B 400 Bad Request 15 B 500 Internal Server Error 5 C 200 OK 85 C 400 Bad Request 25 C 500 Internal Server Error 30 But I want to get a transpose of the table as below: Transaction 200 OK 400 Bad Request 500 Internal Server Error Total A 45 20 0 65 B 110 15 5 130 C 85 25 30 140 Please help me to create a query to get the desired output. ... View more

Hi All, I  have logs like below in Splunk: log1:  Valid from: Mon Oct 11 05:12:56 EDT 2021 until: Wed Oct 11 05:12:56 EDT 2023 log2: Serial number: 6900015f06a7454c0728c2744b000000015f06 log3: Owner: CN=sd-72m2-rt6w.nam.nsroot.net, OU=166139, O=Citigroup Inc., L=warren, ST=NJ, C=US log4: /apps/gcafews_SG/jboss-eap-7.3/ssl/server.jks log5: /apps/gcafewshlc_SG/jboss-eap-7.3/ssl/server.jks and so on... Aim is to get the validity of each Instance and CN, so created the below query to extract the required fields and to find the validity in days: ..... | rex field=_raw "\/apps\/(?P<Instance>\w+)\/" | rex field=_raw "CN\=(?P<CN>[^\,]+)\," | rex field=_raw "Serial\snumber\:(?P<Serial_Number>[^\,]+)" | rex field=_raw "OU\=(?P<CSI_ID>[^\,]+)\," | rex field=_raw "until\:\s(?P<Valid_Until>\w+\s\w+\s(\s{0,1})\d+\s\d+\:\d+\:\d+\s\w+\s\d+)" | eval From = _time | eval Until = strptime(Valid_Until, "%a %b %d %H:%M:%S %Z %Y") | eval dur=Until-From | eval Validity = round(dur/(60*60*24)) Now to represent all these data in a tabular view I used the query : | table Instance,CN,Serial_Number,CSI_ID,Valid_Until,Validity But it gave me the table in the below manner: Instance CN Serial_Number CSI_ID Valid_Until Validity         Wed Oct 11 05:12:56 EDT 2023 556     6900015f06a7454c0728c2744b000000015f06         sd-72m2-rt6w.nam.nsroot.net   166139     gcafews_SG           gcafewshlc_SG           The requirement is to create table with the values in single row as below: Instance CN Serial_Number CSI_ID Valid_Until Validity gcafews_SG sd-72m2-rt6w.nam.nsroot.net 6900015f06a7454c0728c2744b000000015f06  166139 Wed Oct 11 05:12:56 EDT 2023 556 gcafewshlc_SG sd-72m2-rt6w.nam.nsroot.net 6900015f06a7454c0728c2744b000000015f06  166139 Wed Oct 11 05:12:56 EDT 2023 556 Please help modify the query to get the table in the desired manner. ... View more

Hi All, I have logs as below to check certificate validity: Valid from: Tue Jul 13 02:51:21 EDT 2021 until: Thu Jul 13 02:51:21 EDT 2023 I have extracted the from_date and until_date by using the below query: ..... | rex field=_raw "from\:\s(?P<Valid_From>\w+\s\w+\s(\s{0,1})\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s" | rex field=_raw "until\:\s(?P<Valid_Until>\w+\s\w+\s(\s{0,1})\d+\s\d+\:\d+\:\d+\s\w+\s\d+)" Now I want to get the no. the days between these two dates to get the certificate validity. Please help me to create a query to get the desired output. ... View more

Hi All, I have a query to get the result of the list of filesystems and their respective disk usage details as below: File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in % /var                   10                    9.2                   0.8                           92 /opt                   10                    8.1                   1.9                          81 /logs                 10                    8.7                   1.3                          87 /apps                10                    8.4                   1.6                          84 /pcvs                10                    9.4                    0.6                         94 I need to create a multiselect option with the disk usage values to get the above table for a range of values. For e.g. If I select 80 in the multiselect it will show the table with values of disk usage in the range 76-80, then if I select 80 & 90 in the multiselect it will show the table with values of disk usage in the range 76-80 & 86-90 and so on. I created the multiselect with token as "DU" and created the search query for the table as: .... | where ((Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)) OR (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5))) | table File_System,Total,Used,Available,Disk_Usage | rename Total as "Total in GB" Used as "Used in GB" Available as "Available in GB" Disk_Usage as "Disk_Usage in %" With the above query I am able to get the results when I run a search with two different values (e.g. 100 & 65) for $DU$ in (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)). But with this query I am not able to get the table in the dashboard when I am using multiple values. Please help me with the delimiter to be added or help create a query so that upon selecting multiple options in multiselect will give the table for a range of disk usage values. ... View more