Hi All, i am writing a query with the following: index=a0_payservutil_generic_app_audit_npd "kubernetes.labels.release"="mms-au" MNDT|rex field=log "eventName=\"*(?<eventName>[^,\"\s]+)"|rex field=log "serviceName=\"*(?<serviceName>[^\"]+)"|rex field=log "elapsed=\"*(?<elapsed>[^,\"\s]+)" |search eventName="ACCOUNT_DETAIL" AND serviceName="Alias " | eval newtime=round((elapsed/1000),2)|stats count(newtime) AS TotalNoOfEvents,count(eval(newtime>=1)) AS SLACrossedEvents|eval perc=((SLACrossedEvents/TotalNoOfEvents)*100)|where perc>1|stats avg(newtime) as avg |eval calc=if(newtime>=1,avg,0)|eval eventName="ACCOUNT_DETAIL"|eval serviceName="Alias"|fields eventName serviceName TotalNoOfEvents SLACrossedEvents perc calc i need to calculate average time of events which crossed SLA,  for ex: if 2 events crossed SLA (elapsedtime is greater than 1 sec)..in that one event took 3 sec and another event took 2 seconds then we should display 2.5 as average in particular time.i am not able to fetch it.Can you please help me on the same. Thanks in advance ... View more

Hi All,      I am trying to fetch events by comparing two conditions where i am  unable to do that. I have sample log like this: [15:53:12.172] [WARN ] [] [c.c.n.t.e.i.T.ServiceCalloutEventData] [] - channel="null", productVersion="2FE1-5634ab725", apiVersion="V1", uuid="2Fedec2-16f0-4988-b1fa-68db0c565a9f", eventDateTime="2022-07-11T05:53:12.172Z", severity="WARN", code="ServfefrventData", component="wDEGG", category="integrational-eFsdal", serviceName="Details", eventName="_RESPONSE", message="CadfSFDresponse",  start="1657518790580", stop="1657518792172", elapsed="1592", exceptionInfo="null", url="https://scdssfg.com/npp-mms/v1/mandates/actions/DVd", httpResponseCode="500", priority="NORM", servicingAgentBIC="CTBAAUSNXXX", swiftMessagePartnerBIC="RESTMP1", messageIdentification="beb727a900dd11edaf1a69ae7e224ce5", mandateIdentification="111536a1519111ec9bb20e6904f27a9e", returnCode="APS.API.6544"  I need to fetch all the events with all httpstatuscode and compare with returncode and then decide the severity type. For all statuscode type cannot differ but for only 500(httpstatus code)based on returncode the severitytype would differ. So i need to write query for httpstatus code when it hits 500 it has to check return code and for remaining no need to check any returncode.   index=a_audit |rex field=log "eventName=\"*(?<eventName>[^,\"\s]+)"|rex field=log "serviceName=\"*(?<serviceName>[^\"]+)"|rex field=log "severity=\"*(?<severity>[^\"]+)"|rex field=log "exceptionInfo=\"*(?<exceptionInfo>[^\"]+)"|rex field=log "httpResponseCode=\"*(?<httpResponseCode>[^\"]+)"|rex field=log "returnCode=\"*(?<returnCode>[^\"]+)"|stats count by eventName serviceName severity exceptionInfo httpResponseCode returnCode|search serviceName="Details" AND eventName="RESPONSE" AND (severity=ERROR OR severity=WARN) |eval severityType=(httpResponseCode=400 OR httpResponseCode=401 OR httpResponseCode=403 OR httpResponseCode=404 "FATAL") AND (httpResponseCode=500 IN (returnCode=APS.API.6544) |where count>1   i cant able to compare 2 conditions for same field.Can you help me on the same. ... View more

Hi All, I haven3 events in splunk where there is one unique field in all the three events. Here is the example:   [2022-05-10 23:17:23,049] [INFO ] [] [c.c.n.t.e.i.T.JmsMessageEventData] [] - channel="NPP_MPIR.CHANNEL", productVersion="1.3.1-0-1-404089bc7", uuid="3c78031b-12b3-4694-ab88-3a265bf8499e", eventDateTime="2022-05-10T23:17:23.049Z", severity="INFO", code="JmsMessageEventData", component="mq.listener", category="default", serviceName="Mandated Payment Initiation", eventName="MANDATED_PAYMENT_INITIATION.SERVICE_START", message="Mandated Payment Initiation Event", entityType="MSG", start="1652188643002", messageIdentification="CTBAAUSNXXX20220510020220510131721", queueManagerName="PGT201", queueManagerHostname="10.39.9.38",    Initial: [2022-05-10 23:17:24,425] [INFO ] [] [c.c.n.t.e.i.T.JmsMessageEventData] [] -  eventDateTime="2022-05-10T23:17:24.425Z", severity="INFO", code="JmsMessageEventData", component="submission.sent", category="default", serviceName="Submission Service", eventName="PAYMENT_STATUS_REPORT.SENT", message="Customer initial status report sent to PAG", entityType="INSTR", externalSystem="PAG", start="1652188644418", stop="1652188644425", elapsed="7", exceptionInfo="null", messageIdentification="CTBAAUSNXXX20220510020220510131721", firstMessageTraceIdentification="2TDyn8AlRMud1mfUA49o6A" Final: [2022-05-10 23:17:30,528] [INFO ] [] [c.c.n.t.e.i.T.JmsMessageEventData] [] -  eventDateTime="2022-05-10T23:17:30.528Z", severity="INFO", code="JmsMessageEventData", component="submission.sent", category="default", serviceName="Submission Service", eventName="PAYMENT_STATUS_REPORT.SENT", message="Customer final status report sent to PAG", entityType="INSTR", externalSystem="PAG", start="1652188650520", stop="1652188650528", elapsed="8", exceptionInfo="null", messageIdentification="CTBAAUSNXXX20220510020220510131721", firstMessageTraceIdentification="2TDyn8AlRMud1mfUA49o6A",                         These are the 3 events with unique field "messageIdentification",  I need to combine 1 and 2 events and also 1 and 3 and get difference of time between them and calculate how much percentage of events are triggering in less than 15 sec and 30 sec. I tried using transaction command but not able to fetch ..i think i am using it wrong. Can anyone help me on the same. Thanks in Advance.       ... View more

Hi All,    I have number of events with error srtring in event. I need to fetch al the events with error string except hibernet errors. "ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - ORA-00001: unique constraint" I am not sure about the logs with other errors..as there are multiple logs with hibernate error ..i cant be able to fetch it. i need to extract all other logs with error keyword in the event. Can anyone please help me on the same. Thanks in advance. ... View more

Hey folks, I have one set of application where there is version upgrade.Due to that version upgrade they changed the path of logs. As they are facing some issues with sourcetype,they changed the sourcetype name as well. IS there a  way to know which alerts are configured with this sourcetype /source and change them to new source/sourcetype instead of opening all the alerts manually and check where those sourcetype/source is used in query Thanks in Advance, ... View more

i want to trigger dashboard as PDF to my mail id.....But while scheduling PDF delivery am getting error like this: Can any one tell me why i am facing this error and how can i avoid this and trigger mail . When i am previewing the data..it looks fine. Please help me out Thanks in Advance. ... View more

Hi All, I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search. I have one doubt in implementing it. I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same. For ex: index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch Thanks in Advance ... View more

Hi, I have few logs with data as shown below..i need to extract them as fields and create chart using those values.can anyone please help me through: 16/Dec/2021:22:20:32 +1100 [qtp1936628443-884] [correlationId=b25d79ca-2b70-4912-93f4-1dc5f58841c8]  - 2021-12-16T11:20:32.362,,55955f24-a900-e3a7-e053-071bf40a1f09,,,PDS_ERR_API_GET_0001,API GET Call Failed with HTTP Status Code of 4xx Client Error,400,Bad Request,jbcsjhcjehcihdc i need to extract the values of "PDS_ERR_API_GET_0001" and "400" and "Bad Request" Thanks in Advance           ... View more

Hi All, Actually in our splunk environment there is no test environment prior and now its present, So i need to replicate all the alerts,dashboards and reports present in production to test environment. I didnt have access to backend environment of Splunk. Is there any smarter way to do that instead of cloning each and every alert. Waiting for response. Thanks in Advance. ... View more

Hi All,     I have logs in splunk and i need to create field values and create table with the values,present in logs. example :Caused by: org.apache.kafka.connect.errors.ConnectException: Failed to start new JMS session connection 1: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'EVT302' with connection mode 'Client' and host name '10.37.84.12,10.37.100.13(1442)'. Above one is the example log and i need to extract value under caused by as description and queue manager number and also the hostname.  Can anyone help me on the same. Thanks in Advance. ... View more

Is there a way to replicate all the alerts present in one environment(production) to another environment(non-prod). where as both are present in same place i mean url is same but indexes of both environments is different. And the main thing is we cannot access backend as we have only limited access. Can anyone please help me through it in achieving it.   Thanks in Advance ... View more

I am new to splunk. Please help me with the below content. I need to check first and last events of particular transaction and alert should be triggered if the sequence is not followed or any process stopped in middle. How can i do that ? Can anyone please help me on the same? Thanks in Advance ... View more