×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
karthi25
Path Finder
Member since: ‎11-26-2017
‎04-13-2022
Community Statistics
Posts 71
Solutions 0
Karma Given 22
Karma Received 2
Member Since ‎11-26-2017
Activity Feed
Topics I've Started
View All

Add icons to xml dashboard and change the icon bas...

by in Security
‎02-17-2019 09:49 PM
‎02-17-2019 09:49 PM
I have an requirement to add icons to the xml dashboard and need to change the icon based on the result. Something like the below image: Since, I don't have permissions to use javascript/jquery inside, I only need to use CSS and XML. Can anyone please help me to do it. ... View more

Merge two line chart with different query in to si...

by in Splunk Search
‎02-13-2019 05:31 AM
‎02-13-2019 05:31 AM
I have two line chart with different queries as follows: <chart> <search> <query>index=*** source=*** |spath path=TestSplunkLog.TestFailureLog.payload.failureCount output=failureCount|spath path=TestSplunkLog.TestFailureLog.payload.startTime output=startDate| sort -splunkLogId | eval runDate = strftime(strptime(startDate, "%Y-%m-%d %H:%M"),"%Y-%m-%d %H:%M") | chart values(failureCount) as FAILURERECORDCOUNT over runDate</query> <earliest>$dashboardTime.earliest$</earliest> <latest>$dashboardTime.latest$</latest> <refresh>30m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleY.text">Record Count</option> <option name="charting.axisY.scale">linear</option> <option name="charting.chart">line</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.legend.placement">none</option> </chart> <chart> <search> <query>index=*** source=*** |spath path=TestSplunkLog.TestSuccessLog.payload.successCount output=successCount|spath path=TestSplunkLog.TestSuccessLog.payload.startTime output=startDate| sort -splunkLogId | eval runDate = strftime(strptime(startDate, "%Y-%m-%d %H:%M"),"%Y-%m-%d %H:%M") | chart values(successCount) as SUCCESSRECORDCOUNT over runDate</query> <earliest>$dashboardTime.earliest$</earliest> <latest>$dashboardTime.latest$</latest> <refresh>30m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Date</option> <option name="charting.axisTitleY.text">Record Count</option> <option name="charting.axisY.scale">linear</option> <option name="charting.chart">line</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.legend.placement">none</option> </chart> Now, I want to merge this two line chart and convert it to single multi-line chart. Since the JSON path varies, I felt difficult to do this. Can anyone please help me on this. ... View more

How do you get an average based on a date field?

by in Splunk Search
‎01-21-2019 03:47 AM
‎01-21-2019 03:47 AM
I have a Splunk log in JSON format as follows: {"SCMSplunkLog":{ "SCMSuccessLog":{ "payload":{ "sourceCount":0,"level":"INFO","duplicateCount":0,"successCount":0,"startTime":"2019-01-19 23:08:31","endTime":"2019-01-19 23:08:34","publishedCount":0 },"appName":"***","eventType":"***"}}} Now, I want to draw the line chart with the hourly average of publishedCount over starttime. I tried the below query, but it is not working: index=*** source=*** | search SCMSplunkLog.SCMSuccessLog.eventType="***"| sort -splunkLogId | eval runDate = SCMSplunkLog.SCMSuccessLog.payload.startTime |eval time=strptime(runDate, "%m-%d-%Y %H") | chart sum(publishedCount) as dailyAvg over time | stats avg(dailyAvg) as TREND | eval TREND=round(TREND)| strcat "TREND" ": " TREND TREND Can anyone please suggest to me the solution for it. ... View more

Unable to use Splunk local endpoint as cloudwatch ...

by in All Apps and Add-ons
‎05-31-2018 01:53 AM
‎05-31-2018 01:53 AM
I am working with streaming cloudwatch logs to splunk. Splunk is my local instance with SSL enabled. I am trying to make my splunk local endpoint as destination to firehose delivery stream as follows: and in the command line am creating cloudwatch destination aws logs put-destination --destination-name "awslogs-destination-splunk" --target-arn "arn:aws:firehose:us-east-1:arnno:deliverystream/firehose-splunk-delivery-stream" --role-arn "arn:aws:iam::arnno:role/cw-to-kinesis-role" but it showing me the error as follows: An error occurred (InvalidParameterException) when calling the PutDestination op eration: Could not deliver test message to specified destination. Check if the d estination is valid. What am doing wrong here.Can anyone please suggest me the solution for it. ... View more

Push data to the splunk from AWS

by in All Apps and Add-ons
‎05-27-2018 10:14 PM
‎05-27-2018 10:14 PM
Previously , we have configured splunk on Pivotal Cloudfoundry (PCF). Once, the app gets deployed in the PCF, then its logs will be pushed to Splunk automatically. But now I need to do the samething for AWS. I have referred some link , since I didn't have better understanding. Can anyone please share me the useful link that I can follow Or the steps I need to do. ... View more

How to get the event details between two different...

by in Splunk Search
‎05-07-2018 06:59 AM
‎05-07-2018 06:59 AM
I have a splunk log in the following format: INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **SUCCESSFULLY COMPLETED at END_TIME**: 2018-05-06T19:03:27.854Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: List size: 4688 INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 4688 isDone Status true INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 3688 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1000 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: QUERY FORMED: /services/data/v40.0/query?q=SELECT+Id,OpportunityId,MSISDN__c,CreatedDate,LastModifiedDate,Order_System__c,Approximate_Activation_Date__c,SIM_Number__c,IMEI__c,Status+FROM+ORDER+where+CreatedDate%3e2018-05-06T12:03:20.083Z+OR+LastModifiedDate%3e2018-05-06T12:03:20.083Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: lastQueriedDateStamp before query: 2018-05-06T12:03:20.083Z INFO com.tmobile.sfdc.reports.batch.reader.OrderItemReader - ORDER_JOB: new Job.. fetching orders INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **ACTIVE at START_TIME**: 2018-05-07T18:03:27.854Z INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **SUCCESSFULLY COMPLETED at END_TIME**: 2018-05-06T19:03:27.854Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: List size: 2688 INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 2688 isDone Status true INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1688 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1000 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: QUERY FORMED: /services/data/v40.0/query?q=SELECT+Id,OpportunityId,MSISDN__c,CreatedDate,LastModifiedDate,Order_System__c,Approximate_Activation_Date__c,SIM_Number__c,IMEI__c,Status+FROM+ORDER+where+CreatedDate%3e2018-05-06T12:03:20.083Z+OR+LastModifiedDate%3e2018-05-06T12:03:20.083Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: lastQueriedDateStamp before query: 2018-05-07T12:03:20.083Z INFO com.tmobile.sfdc.reports.batch.reader.OrderItemReader - ORDER_JOB: new Job.. fetching orders INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ***ORDER_JOB: ACTIVE at START_TIME***: 2018-05-07T18:03:27.854Z All the above are separate events, I want to get a data between the active start time and successfully completed endtime. For Eg: starttime listsize totalRecords lastqueriedtimestamp enddate 2018-05-07T18:03:27.854Z 4688 4688 2018-05-06T12:03:20.083Z 2018-05-06T19:03:27.854Z 2018-05-07T18:03:27.854Z 2688 2688 2018-05-07T12:03:20.083Z 2018-05-06T19:03:27.854Z I know the regex to get each value, but I want to know how to group all the separated events should fall under that two dates. Can anyone please help me to do it? ... View more

Re: Extract date from the Splunk log

by in Getting Data In
‎05-07-2018 02:34 AM
‎05-07-2018 02:34 AM
@FrankVI they are seperate events, I need to get it by order basis like the first occured startdate with first occured enddate , second occured startdate with second occured enddate,... and so on.Can you please suggest what else I can do? ... View more

Extract date from the Splunk log

by in Getting Data In
‎05-07-2018 02:18 AM
‎05-07-2018 02:18 AM
I have splunk log which looks like below: ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: SUCCESSFULLY COMPLETED at END_TIME: 2018-05-07T06:05:17.475Z ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.listener.OpportunityJobListener - OPPORTUNITY_JOB: ACTIVE at START_TIME: 2018-05-07T06:04:44.981Z ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: SUCCESSFULLY COMPLETED at END_TIME: 2018-05-09T07:10:17.475Z ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.listener.OpportunityJobListener - OPPORTUNITY_JOB: ACTIVE at START_TIME: 2018-05-09T07:08:44.981Z I want to get the start date and end date from the log. So, My output would be like: START_DATE END_DATE --------------------------------------------------------------------------------- 2018-05-09T07:08:44.981Z 2018-05-09T07:10:17.475Z 2018-05-07T06:04:44.981Z 2018-05-07T06:05:17.475Z I have tried the below query , but its return nothing: base search| rex field=_raw "ACTIVE at START_TIME:\[(?[^ ]+)"| rex field=_raw "SUCCESSFULLY COMPLETED at END_TIME:\[(?[^ ]+)"|table START_DATE,END_DATE can anyone please suggest me the solution and what am doing wrong here. ... View more

Re: Get the number from the log with ":" Symbol

by in Splunk Search
‎05-07-2018 01:49 AM
‎05-07-2018 01:49 AM
@elliotproebstel how can change the above query if it is the date. For eg: if I contains the log like ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: ACTIVE at START_TIME: 2018-05-07T06:04:46.087Z and I want to get the value "2018-05-07T06:04:46.087Z" ... View more

Get the number from the log with ":" Symbol

by in Splunk Search
‎05-04-2018 05:46 AM
‎05-04-2018 05:46 AM
I have a log which looks like follows: ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.service.OpportunityService - OPPORTUNITY_JOB: List size: 41 ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.service.OpportunityService - OPPORTUNITY_JOB: List size: 140 I want to get the sum of the numbers(140+41+..), And I have tried the below query base search| rex field=_raw "List size\"\:\"(?<size>[^\"]+)" | stats sum(size) But it returns nothing. Can anyone please suggest me what am doing wrong. ... View more

Re: How to get the total count by getting the numb...

by in Splunk Search
‎05-04-2018 05:33 AM
‎05-04-2018 05:33 AM
@xpac Sorry, that is not for the previous requirement ,its for new purpose .So I don't want it as generic. That is different log, the above query returns uncorrect result . ... View more

Re: How to get the total count by getting the numb...

by in Splunk Search
‎05-04-2018 05:14 AM
‎05-04-2018 05:14 AM
@xpac its not working. For the log like: ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.service.OpportunityService - OPPORTUNITY_JOB: List size: 41 how can I get the value 41 ... View more

Re: How to get the total count by getting the numb...

by in Splunk Search
‎05-04-2018 04:46 AM
‎05-04-2018 04:46 AM
@xpac If I have ":" symbol after the count means how can I change it . I mean count : 360 ... View more

How to get the total count by getting the number f...

by in Splunk Search
‎05-04-2018 03:36 AM
‎05-04-2018 03:36 AM
I have a splunk log as follows: ...||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.LeadItemWriter - LEAD_JOB: Batch insertion is successful for count 1000 and exiting method write()::LeadItemWriter ----||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.LeadItemWriter - LEAD_JOB: Batch insertion is successful for count 197 and exiting method write()::LeadItemWriter ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.OrderItemWriter - ORDER_JOB: Batch insertion is successful for count 3860 and exiting method write()::OrderItemWriter ||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.OrderItemWriter - ORDER_JOB: Batch insertion is successful for count 30 and exiting method write()::OrderItemWriter I need to get the total count by job type, So My result will be like ORDER_JOB LEAD_JOB ------------------------------------------ 3890 1197 Can anyone please help me to write the Splunk query for getting the above result? ... View more

rex expression does not works as expected

by in Splunk Search
‎03-13-2018 02:54 AM
‎03-13-2018 02:54 AM
I have a following splunk log 2018-03-13T06:28:23.543266+00:00 Commissions.development.loan*** 103a9[[APP/PROC/WEB/0]]: cf_foundation=px-*** cf_app_name=loan*** cf_app_id=**** cf_org_name=Commissions cf_org_id=***** cf_space_name=development cf_space_id=70344c05-60c9-437b-ab88-432a33101022 .source.s_cf_apps {"@timestamp":"2018-03-12T23:28:23.542-07:00","@version":1,"message":"class CreateLoanRequestPayload {\n createLoanRequest: class CreateLoanRequest {\n header: class Header {\n senderid: Test123\n channelid: channel123\n applicationid: NFS\n applicationuserid: user123\n sessionid: session123\n interactionid: intc123\n activityid: actv123\n workflowid: wf123\n timestamp: 2018-03-13T16:50:21.298Z\n storeid: store123\n dealercode: dealer123\n masterdealercode: MdealerCode123\n originatingSenderId: orgSID\n userid: user123\n }\n loans: class Loans {\n account: class LoansAccount {\n commonCustomerId: CC_ID\n accountType: Type123\n accountSubType: SubType123\n billingAddress: class BillingAddress {\n addressLine1: addr1\n addressLine2: addr2\n cityName: chennai\n stateCode: 61478\n zip: 600017\n zipExt: 600018\n optOut: opt_Out\n optOutReason: opt_Out_reason\n optOutType: opt_Out_type\n }\n accountNumber: acc123\n status: ReadyTest\n lastUpdateTime: 2018-03-13T16:50:21.298Z\n billCycleDay: 12\n paymentDueDay: 12\n primaryPlaceOfUseAddress: class PrimaryPlaceOfUseAddress {\n addressLine1: addr1\n addressLine2: addr2\n cityName: chennai\n stateCode: 61478\n zip: 600017\n zipExt: 600018\n optOut: opt_Out\n optOutReason: testStr123\n optOutType: opt_Out_type\n }\n eipIndicator: false\n daysInCurrentAccount: 12\n universalLineId: UNID123\n }\n accountNumber: acc123\n loanId: loan123\n oldLoanId: oLoan123\n currentLoanSystem: cLoan123\n commonCustomerId: CCID123\n balance: 1000.0\n phoneNumber: 9989898898\n fulfillmentType: FFType123\n transactionType: TType123\n returnAuthorizationType: RAType123\n promotions: [class Promotions {\n promotionId: PROMO123\n promotionAmount: 1000.0\n }]\n totalAmountFinanced: 3000.0\n totalNumberOfInstallments: 15\n nominalInterestRate: 1000.0\n annualPercentageRate: 100.0\n downPaymentAmount: 1000.0\n additionalDownPaymentAmount: 1000.0\n downPaymentDiscountAmount: 1000.0\n totalDownPaymentAmount: 1000.0\n recurringInstallmentAmount: 1000.0\n lastInstallmentAmount: 1000.0\n lastInstallmentDueDate: 2018-04-01\n remainingNumberOfInstallments: 12\n purchasedEquipment: class PurchasedEquipment {\n deviceId: DEV1234\n imei: imei123\n serialNumber: sNumber123\n deviceStatus: READYTEST\n sku: testStr123\n description: testStr123\n fullRetailPrice: 1000.0\n productType: TYPE01\n productSubType: SUBTYPE123\n salePrice: 1000.0\n }\n paymentSchedule: [class PaymentSchedule {\n paymentDueDate: 2018-04-01\n installmentNumber: 123\n paymentAmount: 1000.0\n }]\n returnedEquipment: class ReturnedEquipment {\n deviceId: dev123\n imei: imei123\n serialNumber: sNo123\n deviceStatus: ReadyTest\n sku: 3425127898\n deviceRecoveryType: RcType123\n tradeInAmount: 1000.0\n }\n effectiveStartDate: 2018-03-01\n effectiveEndDate: 2018-03-10\n financingModelType: MType123\n statusCode: 200\n remorseReturnNumberOfDays: 2\n originatingMasterDealerCode: O_MDCODE_123\n originatingSalesChannel: oSCHNL_123\n submissionStatus: READYTEST\n pendingFinancialTransactionStatus: READYTEST\n workFlowConditions: [BalanceTransferComplete, shipmentPending]\n agreementNumber: AGREE123\n clientWorkFlowType: TYPE123\n tradeInEligibility: false\n orderId: oID123\n documentSet: class DocumentSet {\n documents: [class Documents {\n documentId: doc123\n documentType: dType01\n }]\n }\n delayPayIndicator: false\n orderLocationState: stateFailed\n orderLocationCity: chennai\n shipToState: tamilnadu\n programType: Test\n sourceTransactionId: sTransID123\n sourceSubTransactionId: subsTransID123\n sourceTransactionTime: 2018-03-13T16:50:21.298Z\n freightCarrier: fCarrier123\n description: Testing_purpose\n serviceLevelCode: sLevel123\n shippingCharge: 200.0\n waiverIndicator: false\n taxExemptionIndicator: false\n eligibilities: [class Eligibilities {\n eligibilityType: elType1\n ineligibleReasons: [class IneligibleReasons {\n reasonCode: rc123\n }]\n }]\n payments: [class Payments {\n paymentAmount: 1000.0\n }]\n acceleratedAmount: amnt1000\n salesChannelId: sCID123\n userId: user1234\n previousLoanSystem: pLS123\n recurringChargeAmount: amnt1000.00\n transferQuoteId: quote123\n transferInitiatedDate: 2018-03-09\n transferAccountNumber: acc1234\n transferType: type01\n unbilledAmount: 1000.0\n crossDefaultIndicator: false\n syncPending: false\n activeDutyMilitaryFlag: false\n subStatusCode: testStr123\n activityType: testStr123\n activityDescription: testStr123\n activityTime: 2018-03-13T16:50:21.298Z\n currentBilledAmount: 1000.0\n shippingDiscountAmount: 1000.0\n shippingDiscountPercent: 1000.0\n shippingChargeCode: testStr123\n additionalPaymentAmount: 1000.0\n newBalance: 1000.0\n newRecurringInstallmentAmount: 1000.0\n newRemainingNumberOfInstallment: 12\n quoteDate: 2018-03-07\n customerCreditClass: testStr123\n writeOff: class WriteOff {\n code: testStr123\n description: testStr123\n effectiveTime: 2018-03-13T16:50:21.298Z\n }\n shippingDate: 2018-03-10T16:50:21.298Z\n trackingNumber: testStr123\n acceleratedDate: 2018-03-10\n paymentOverdueDays: 12\n pastDueIndicator: false\n }\n }\n}","logger_name":"com.tmobile.deep.scms.LoanProcessor","thread_name":"pool-1-thread-11","level":"INFO","level_value":20000,"APP_NAME":"loanProcessor_SCMS","eventID: ":"a36t4856-dc8a-4343-afb3-7o9166","eventType: ":"LoanWriteOffCompleted"} Now I want to get the value of sourceTransactionTime from the log, I used below queries to get it, index=cloudfoundry sourcetype=cloud*** "cf_foundation=px-npe01" cf_org_name="Commissions" cf_space_name=development cf_app_name="loan***"|rex field=_raw "sourceTransactionTime\:(?<sourceTransactionTime>[^\n]+)"|table sourceTransactionTime it returns 2018-03-13T16:50:21.298Z\n freightCarrier: fCarrier123\n description: Testing_purpose\n serviceLevelCode: sLevel123\n shippingCharge: 200.0\n waiverIndicator: false\n taxExemptionIndicator: false\n eligibilities: [class Eligibilities {\n eligibilityType: elType1\n ineligibleReasons: [class IneligibleReasons {\n reasonCode: rc123\n }]\n }]\n payments: [class Payments {\n paymentAmount: 1000.0\n }]\n acceleratedAmount: amnt1000\n salesChannelId: sCID123\n userId: user1234\n previousLoanSystem: pLS123\n recurringChargeAmount: amnt1000.00\n transferQuoteId: quote123\n transferInitiatedDate: 2018-03-09\n transferAccountNumber: acc1234\n transferType: type01\n unbilledAmount: 1000.0\n crossDefaultIndicator: false\n syncPending: false\n activeDutyMilitaryFlag: false\n subStatusCode: testStr123\n activityType: testStr123\n activityDescription: testStr123\n activityTime: 2018-03-13T16:50:21.298Z\n currentBilledAmount: 1000.0\n shippingDiscountAmount: 1000.0\n shippingDiscountPercent: 1000.0\n shippingChargeCode: testStr123\n additionalPaymentAmount: 1000.0\n newBalance: 1000.0\n newRecurringInstallmentAmount: 1000.0\n newRemainingNumberOfInstallment: 12\n quoteDate: 2018-03-07\n customerCreditClass: testStr123\n writeOff: class WriteOff {\n code: testStr123\n description: testStr123\n effectiveTime: 2018-03-13T16:50:21.298Z\n }\n shippingDate: 2018-03-10T16:50:21.298Z\n trackingNumber: testStr123\n acceleratedDate: 2018-03-10\n paymentOverdueDays: 12\n pastDueIndicator: false\n }\n }\n}","logger_name":"com.tmobile.deep.scms.LoanProcessor","thread_name":"pool-1-thread-5","level":"INFO","level_value":20000,"APP_NAME":"loanProcessor_SCMS","eventID: ":"a1234e54-dc5a-4d23-afb3-oif16","eventType: ":"LoanVoidOrderCanceledCompleted"} But I want only the date value "2018-03-13T16:50:21.298Z". Can anyone please suggest me what am doing wrong. ... View more

Re: Extract the value from jsonstring in splunk

by in Dashboards & Visualizations
‎03-12-2018 02:08 AM
‎03-12-2018 02:08 AM
Its working with the above sample makeresult which you have created but when I use my search query like index=cloudfoundry sourcetype=cloudfoundry_apps "cf_foundation=px-npe01" "cf_org_name=EQM-SCMS" "cf_space_name=Test-SCMS-qlab02" "cf_app_name=tfb_hardGoods_SCMS-test" transactionid |rex field=_raw "eventType:\s\":\"(? [^\"]+)" | rex field= "transactionid\":\"(? [^\"])" | table eventType,transactionid it's written the same empty result 😞 ... View more

Re: Extract the value from jsonstring in splunk

by in Dashboards & Visualizations
‎03-12-2018 01:45 AM
‎03-12-2018 01:45 AM
following is the full event 2018-03-01T05:29:43.817263+00:00 EQM-SCMS.Test-SCMS-qlab02.tfbhardGoodsSCMS-test fa4cbb7b-26fa-425e-968d-05dabde7c79a[[APP/PROC/WEB/0]]: cf_foundation=px-npe01 cf_app_name=tfb_hardGoods_SCMS-test cf_app_id=fa4cbb7b-26fa-425e-968d-05dabde7c79a cf_org_name=EQM-SCMS cf_org_id=56f5bed9-cbdc-4ae3-a1e8-73072442a1fe cf_space_name=Test-SCMS-qlab02 cf_space_id=ba8816e1-36d0-4857-9396-87dbf162aead .source.s_cf_apps {"@timestamp":"2018-02-28T21:29:43.816-08:00","@version":1,"message":"Retry will not be attempted on this message : {}","logger_name":"com.tmobile.deep.AMQPWaitExchangePublisher","thread_name":"pool-2-thread-13","level":"ERROR","level_value":40000,"stack_trace":"com.tmobile.deep.exceptions.DEEPException: Can not deserialize value of type java.time.Instant from String \"test\": Text 'test' could not be parsed at index 0\n at [Source: {\"commisionEvent\":{\"channel\":\"testString\",\"orderType\":\"testString\",\"eventSource\":\"testString\",\"eventCreationDate\":\"2018-02-10T00:30:21.298Z\",\"orderDate\":\"2018-02-10T00:30:21.298Z\",\"dealerCode\":\"testString\",\"ban\":\"123\",\"orderNo\":\"testString\",\"originalOrderNo\":\"testString\",\"customerName\":\"testString\",\"msisdn\":\"testString\",\"orderDetails\":[{\"sku\":\"testString\",\"imei\":\"testString\",\"msisdnLineLevel\":\"testString\",\"msrp\":\"1000.00\",\"customerPaidAmount\":\"1200.00\",\"sellingPrice\":\"1000.00\",\"jumpIndicator\":\"testString\",\"eipIndicator\":\"123\",\"eip1stPayment\":\"1100.00\",\"eipPlanId\":\"testString\",\"eipInitialAmount\":\"1000.00\",\"discount\":\"100.00\",\"transactionid\":\"testString\",\"shippedDate\":\"test\",\"priceoverrideamount\":\"1000.00\",\"priceOverrideCode\":\"testString\",\"overrideReason\":\"testString\",\"originalTransactionId\":\"testString\",\"lineType\":\"testString\",\"transactionType\":\"testString\"}]}}; line: 1, column: 676] (through reference chain: com.tmobile.tfb.commissions.model.TbcUpgradesFeedPayload[\"commisionEvent\"]->com.tmobile.tfb.commissions.model.CommissionEvent[\"orderDetails\"]->java.util.ArrayList[0]->com.tmobile.tfb.commissions.model.OrderDetail[\"shippedDate\"])\n\tat com.tmobile.deep.scms.TfbHardGoodsProcessor.process(TfbHardGoodsProcessor.java:84)\n\tat com.tmobile.deep.scms.TfbHardGoodsProcessor.process(TfbHardGoodsProcessor.java:33)\n\tat com.tmobile.deep.scms.TfbHardGoodsProcessor$$EnhancerBySpringCGLIB$$36f9f84d.process()\nCaused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Can not deserialize value of type java.time.Instant from String \"test\": Text 'test' could not be parsed at index 0\n at [Source: {\"commisionEvent\":{\"channel\":\"testString\",\"orderType\":\"testString\",\"eventSource\":\"testString\",\"eventCreationDate\":\"2018-02-10T00:30:21.298Z\",\"orderDate\":\"2018-02-10T00:30:21.298Z\",\"dealerCode\":\"testString\",\"ban\":\"123\",\"orderNo\":\"testString\",\"originalOrderNo\":\"testString\",\"customerName\":\"testString\",\"msisdn\":\"testString\",\"orderDetails\":[{\"sku\":\"testString\",\"imei\":\"testString\",\"msisdnLineLevel\":\"testString\",\"msrp\":\"1000.00\",\"customerPaidAmount\":\"1200.00\",\"sellingPrice\":\"1000.00\",\"jumpIndicator\":\"testString\",\"eipIndicator\":\"123\",\"eip1stPayment\":\"1100.00\",\"eipPlanId\":\"testString\",\"eipInitialAmount\":\"1000.00\",\"discount\":\"100.00\",\"transactionid\":\"testString\",\"shippedDate\":\"test\",\"priceoverrideamount\":\"1000.00\",\"priceOverrideCode\":\"testString\",\"overrideReason\":\"testString\",\"originalTransactionId\":\"testString\",\"lineType\":\"testString\",\"transactionType\":\"testString\"}]}}; line: 1, column: 676] (through reference chain: com.tmobile.tfb.commissions.model.TbcUpgradesFeedPayload[\"commisionEvent\"]->com.tmobile.tfb.commissions.model.CommissionEvent[\"orderDetails\"]->java.util.ArrayList[0]->com.tmobile.tfb.commissions.model.OrderDetail[\"shippedDate\"])\n\tat com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:74)\n\tat com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:1410)\n\tat com.fasterxml.jackson.datatype.jsr310.deser.JSR310DeserializerBase._rethrowDateTimeException(JSR310DeserializerBase.java:81)\n\tat com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer.deserialize(InstantDeserializer.java:212)\n\tat com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer.deserialize(InstantDeserializer.java:50)\n\tat com.fasterxml.jackson.databind.deser could not be parsed at index 0\n\tat java.time.format.DateTimeFormatter.parseResolved0(DateTimeFormatter.java:1949)\n\tat java.time.format.DateTimeFormatter.parse(DateTimeFormatter.java:1777)\n\tat com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer.deserialize(InstantDeserializer.java:206)\n\t... 90 common frames omitted\n","APP_NAME":"tfb_hardGoods_SCMS","eventID: ":"123","eventType: ":"TBCCommissionUpgradeOrderFeed"} ... View more

Re: Extract the value from jsonstring in splunk

by in Dashboards & Visualizations
‎03-12-2018 01:33 AM
‎03-12-2018 01:33 AM
I tried it..but just a two empty result is coming up : my query was index=*** sourcetype=cloudfoundry_apps "cf_foundation=*** " "cf_org_name=" "cf_space_name= " "cf_app_name=tfb_hardGoods_SCMS-test" | rex field= "transactionid\":\"(?[^\"]*)" | table transaction_id ... View more

Extract the value from jsonstring in splunk

by in Dashboards & Visualizations
‎03-12-2018 12:19 AM
‎03-12-2018 12:19 AM
I am having the field "transactionid" in the splunk log as follows: ***** "thread_name":"pool-2-thread-13","level":"ERROR","level_value":40000,"stack_trace":"com.fasterxml.jackson.databind.exc.InvalidFormatException: Can not deserialize value of type java.time.Instant from String \"test\": Text 'test' could not be parsed at index 0\n at [Source: {\"commisionEvent\":{\"channel\":\"testString\",\"orderType\":\"testString\",\"eventSource\":\"testString\",\"eventCreationDate\":\"2018-02-10T00:30:21.298Z\",\"orderDate\":\"2018-02-10T00:30:21.298Z\",\"dealerCode\":\"testString\",\"ban\":\"123\",\"orderNo\":\"testString\",\"originalOrderNo\":\"testString\",\"customerName\":\"testString\",\"msisdn\":\"testString\",\"orderDetails\":[{\"sku\":\"testString\",\"imei\":\"testString\",\"msisdnLineLevel\":\"testString\",\"msrp\":\"1000.00\",\"customerPaidAmount\":\"1200.00\",\"sellingPrice\":\"1000.00\",\"jumpIndicator\":\"testString\",\"eipIndicator\":\"123\",\"eip1stPayment\":\"1100.00\",\"eipPlanId\":\"testString\",\"eipInitialAmount\":\"1000.00\",\"discount\":\"100.00\",\"transactionid\":\"testString\",\"shippedDate\":\"test\",\"priceoverrideamount\":\"1000.00\",\"priceOverrideCode\":\"testString\",\"overrideReason\":\"testString\",\"originalTransactionId\":\"testString\",\"lineType\":\"testString\",\"transactionType\":\"testString\"}]}}; line: 1, column: 676] (through reference chain: com.tmobile.tfb.commissions.model.TbcUpgradesFeedPayload[\"commisionEvent\"]-com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer.deserialize(InstantDeserializer.java:206)\n\t... 90 common frames omitted\n","APP_NAME":"tfb_hardGoods_SCMS","eventID: ":"123","eventType: ":"TBCCommissionUpgradeOrderFeed"} I tried the below query index=**** sourcetype=*"cf_foundation=" "cf_org_name=" "cf_space_name=Test-" "cf_app_name=***-test" | rex field=_raw ".*transactionid\\":\\"(?[^]+)"|table transactionid but it shows the error "Error in 'rex' command: Encountered the following error while compiling the regex '.*transactionid\":\"(?[^]+)': Regex: missing terminating ] for character class" Can anyone please suggest me the correct solutions for it. ... View more

Get Json object from the splunk log as a field

by in Splunk Search
‎03-05-2018 05:09 AM
‎03-05-2018 05:09 AM
I am having the splunk log in the following format: 2018-03-02T17:02:27.453185+00:00 ESP-Finance-NPE.development.abctestprocessor-dev a36c4e54-dc5a-4d23-afb3-10f1661b19b4[[APP/PROC/WEB/0]]: cf_foundation=*** cf_app_name=*** cf_app_id=a36c4e54-dc5a-4d23-afb3-10f1661b19b4 cf_org_name=**** cf_org_id=*** cf_space_name=development cf_space_id=*** .source.s_cf_apps 2018-03-02 09:02:27.452 ERROR 14 --- [TaskExecutor-82] c.tmobile.finance.service.LoggerService : {"host_endpoint":"","domain":"CUSTOMER_FINANCE","component":"abctestProcessor","log_type":"ERROR","space_name":"development","event_source":"DEEP_PROXY","api_name":"test_abc","api_id":"a36c4e54-dc5a-4d23-afb3-10f1661b19b4","message_format":"application/json","error_code":0,"stack_trace":"com.tmobile.deep.abc.exception.FinanceSystemE"operation_name":"testEquipmentSerialNumberUpdateCompleted","testId":"testString","msisdn":"testString","guid":"testString","activityid":"testString","api_request":{"eventId":"event123","sourceId":null,"eventType":"testEquipmentSerialNumberUpdateCompleted","eventTime":{"offset":{"totalSeconds":0,"id":"Z","rules":{"fixedOffset":true,"transitions":[],"transitionRules":[]}},"hour":0,"minute":30,"second":21,"nano":298000000,"year":2018,"month":"FEBRUARY","dayOfMonth":10,"dayOfWeek":"SATURDAY","dayOfYear":41,"monthValue":2},"eventProducerId":"Produce123","eventVersion":"testString","specifications":[{"name":"testString","value":"testString"}],"auditInfo":{"customerId":"testString","accountNumber":"testString","universalLineId":"testString","lineId":"testString","phoneNumber":"testString","iamUniqueId":"testString","batchId":"testString","orderId":"testString"},"headerReference":{"activityId":"testString","applicationId":"testString","applicationUserId":"testString","authCustomerId":"testString","authFinancialAccountId":"testString","authLineOfServiceId":"testString","channelId":"testString","dealerCode":"testString","interactionId":"testString","masterDealerCode":"testString","segmentationId":"testString","senderId":"testString","sessionId":"testString","storeId":"testString","terminalId":"testString","tillId":"testString","workflowId":"testString","timestamp":{"offset":{"totalSeconds":0,"id":"Z","rules":{"fixedOffset":true,"transitions":[],"transitionRules":[]}},"hour":0,"minute":30,"second":21,"nano":298000000,"year":2018,"month":"FEBRUARY","dayOfMonth":10,"dayOfWeek":"SATURDAY","dayOfYear":41,"monthValue":2}},"payload":{"createtestRequest":{"header":{"senderid":"testString","channelid":"testString"},"tests":{"account":{"universalLineId":"testString"},"sourceTransactionTime":"2018-02-10T00:30:21.298Z","phoneNumber":"testString","purchasedEquipment":{"description":"testString","imei":"testString"},"testId":"testString"}}},"processContext":{"rootId":"67310650-1e3b-11e8-945d-a5cf584f50bc","parentId":"67310650-1e3b-11e8-945d-a5cf584f50bc","spaceName":"development"},"currentRetryCount":0,"maxRetryAttempts":0,"retryDelay":0,"taskId":null,"errorData":null,"status":null,"subStatus":null},"api_response":"org.hibernate.exception.GenericJDBCException: Error calling CallableStatement.getMoreResults","httpStatusCode":"503","key":"testString","additionalAttributes":{}} Now I want to extract all the payload content , (i.e) my query should returns the following {"createtestRequest":{"header":{"senderid":"testString","channelid":"testString"},"tests":{"account":{"universalLineId":"testString"},"sourceTransactionTime":"2018-02-10T00:30:21.298Z","phoneNumber":"testString","purchasedEquipment":{"description":"testString","imei":"testString"},"testId":"testString"}}},"processContext":{"rootId":"67310650-1e3b-11e8-945d-a5cf584f50bc","parentId":"67310650-1e3b-11e8-945d-a5cf584f50bc","spaceName":"development"},"currentRetryCount":0,"maxRetryAttempts":0,"retryDelay":0,"taskId":null,"errorData":null,"status":null,"subStatus":null} I tried the following query , but it returns nothing, index=*** sourcetype=*** "cf_foundation=px-***" cf_org_name="ESP-Finance-NPE" cf_app_name="***-dev"| rex field=_raw "eventId\"\:\"(?<eventId>[^\"]+)" |search eventId=event123 |rex "(?< payload>{[^}]+})"| table eventId,payload Can anyone please suggest me what am doing wrong and provide me the correct solution for it. ... View more

Re: Unable to retrieve the value where key contain...

by in Getting Data In
‎02-23-2018 12:38 AM
‎02-23-2018 12:38 AM
@mayurr98 thanks. It's works as expected ... View more

Unable to retrieve the value where key contains ":...

by in Getting Data In
‎02-22-2018 11:08 PM
‎02-22-2018 11:08 PM
I have splunk log as follows: 2018-02-21T18:29:31.958125+00:00 EQM-SCMS.Test-SCMS-qlab02.tfbhardGoodsSCMS-test fa4cbb7b-26fa-425e-968d-05dabde7c79a[[APP/PROC/WEB/0]]: cf_foundation=px-npe01 cf_app_name=tfb_hardGoods_SCMS-test cf_app_id=fa4cbb7b-26fa-425e-968d-05dabde7c79a cf_org_name=EQM-SCMS cf_org_id=56f5bed9-cbdc-4ae3-a1e8-73072442a1fe cf_space_name=Test-SCMS-qlab02 cf_space_id=ba8816e1-36d0-4857-9396-87dbf162aead .source.s_cf_apps {"@timestamp":"2018-02-21T10:29:31.957-08:00","@version":1,"message":"Acknowledging Message for consumerTag : cb6ba2fe-dc20-42e4-88ae-b94d3f17f611, deliveryTag : 32","logger_name":"com.tmobile.deep.AMQPEventConsumer","thread_name":"pool-2-thread-4","level":"INFO","level_value":20000,"APP_NAME":"tfb_hardGoods_SCMS","eventID: ":"d100ecb2-5821-4089-b8aa-902c0a8629a0","eventType: ":"TBCCommissionUpgradeOrderFeed"} 2018-02-21T18:19:58.059358+00:00 EQM-SCMS.Test-SCMS-qlab02.tfbhardGoodsSCMS-test fa4cbb7b-26fa-425e-968d-05dabde7c79a[[APP/PROC/WEB/0]]: cf_foundation=px-npe01 cf_app_name=tfb_hardGoods_SCMS-test cf_app_id=fa4cbb7b-26fa-425e-968d-05dabde7c79a cf_org_name=EQM-SCMS cf_org_id=56f5bed9-cbdc-4ae3-a1e8-73072442a1fe cf_space_name=Test-SCMS-qlab02 cf_space_id=ba8816e1-36d0-4857-9396-87dbf162aead .source.s_cf_apps {"@timestamp":"2018-02-21T10:19:58.059-08:00","@version":1,"message":"Before publishing the Event to Kafka:::LoggingHeader [eventType=TBCCommissionUpgradeOrderFeed, clientEventId=null, deepEventId=d2afaee0-1733-11e8-a03a-a96c3fa64a03, eventTime=03-21-2018 10:19:57, eventProducerId=TBC, filteredSystemsList=null, filteredExceptionMessage=null]","logger_name":"com.tmobile.deep.AMQPEventConsumer","thread_name":"pool-2-thread-3","level":"INFO","level_value":20000,"APP_NAME":"tfb_hardGoods_SCMS","eventID: ":"ca2f9346-ac31-465f-b306-11beb2543f52","eventType: ":"TBCCommissionUpgradeOrderFeed"} 2018-02-20T20:48:39.782740+00:00 EQM-SCMS.Test-SCMS-qlab02.tfbhardGoodsSCMS-test fa4cbb7b-26fa-425e-968d-05dabde7c79a[[APP/PROC/WEB/0]]: cf_foundation=px-npe01 cf_app_name=tfb_hardGoods_SCMS-test cf_app_id=fa4cbb7b-26fa-425e-968d-05dabde7c79a cf_org_name=EQM-SCMS cf_org_id=56f5bed9-cbdc-4ae3-a1e8-73072442a1fe cf_space_name=Test-SCMS-qlab02 cf_space_id=ba8816e1-36d0-4857-9396-87dbf162aead .source.s_cf_apps {"@timestamp":"2018-02-20T12:48:39.782-08:00","@version":1,"message":"Event with id : Snehal45678 , will be redelivered after 731757 ms from now ","logger_name":"com.tmobile.deep.AMQPWaitExchangePublisher","thread_name":"pool-2-thread-3","level":"INFO","level_value":20000,"APP_NAME":"tfb_hardGoods_SCMS","eventID: ":"Snehal45678","eventType: ":"TBCCommissionUpgradeOrderFeed"} Now I want to get the unique events ID , I have tried the query: index=cloudfoundry sourcetype=cloudfoundry_apps "cf_foundation=***" "cf_org_name=testOrg" "cf_space_name=Test" "cf_app_name=app-test" | stats count by eventID: But it returns nothing. Can anyone please help me to get it. ... View more

Get preset values as specific date

by in Dashboards & Visualizations
‎02-07-2018 02:21 AM
‎02-07-2018 02:21 AM
I have a time dropdown as below: <input type="time" token="dashboardTime" searchWhenChanged="true"> <label>SELECT TIME RANGE</label> <default> <earliest>-7d@d</earliest> <latest>now</latest> </default> </input> Now , I need write a query based field which was under the selected time . For Eg: If I choose Last 7 days it should be: index=**** sourcetype=**** "cf_foundation=px-npe01" "cf_org_name=****" "cf_space_name=****" "cf_app_name=****" "||splunk-logger||" taskName='****' status='COMPLETED' | sort -splunkLogId | eval startDateModified= strptime( startDate, "%d-%m-%Y") | where startDateModified > "01/02/2018" and starDate <= "07/02/208"|stats count ... View more

Re: Change a part of query based on dropdown selec...

by in Dashboards & Visualizations
‎02-06-2018 11:08 PM
‎02-06-2018 11:08 PM
@493669 As posted earlier, For "File Count to ECS" I need to get "chart count over runDate" but for others it would be " chart sum(rowCount) over runDate". ... View more

Change a part of query based on dropdown selected ...

by in Dashboards & Visualizations
‎02-06-2018 10:50 PM
‎02-06-2018 10:50 PM
I have a dropdown with values as follows <choice value="S_M_SCMSA_SUB_TRUEUP">PostPaid Subscriber Data from Samson</choice> <choice value="S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP">PrePaid Subscriber through ESP</choice> <choice value="S_M_SCMSA_PCR_PP_SUB_FEATURE_TRUEUP">PrePaid Features through ESP</choice> <choice value="S_M_SAA_REP_SUBSCRIBER_ACTIVITYe">Subscribers from SAA</choice> <choice value="S_M_SAA_REP_PRODUCT_ACTIVITY">Features from SAA</choice> <choice value="S_M_SCMSA_POS_TRANS">PoS records in Adapter</choice> <choice value="*ADP-ECS~*">File Count to ECS</choice> <choice value="*ADP-DCS~*">File Count to DCS</choice> <choice value="*ADP-ICM~*">File Count to CCS</choice> <choice value="S_M_FILE_SUBACTIVITY_TO_ECS">Subscriber Events to ECS</choice> <choice value="S_M_FILE_FEATUREACT_TO_ECS">Feature Events to ECS</choice> <choice value="S_M_DCS_SUB_ACTIVITY">Subscriber Events to DCS</choice> <choice value="S_M_DCS_FEATURE_ACTIVITY">Feature Events to DCS</choice> Now I want to change the query based on the selected value ,for Eg: If the user selects "Prepaid Subscriber Data from Samson" then the query will be taskName='S_M_SCMSA_SUB_TRUEUP' status='COMPLETED'| sort -splunkLogId | dedup taskLogId | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$") | where startDateModified > newDateFromDash | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") |chart sum(rowCount) over runDate and for "PrePaid Features through ESP" the query will be: taskName='S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP' status='COMPLETED'| sort -splunkLogId | dedup taskLogId | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$") | where startDateModified > newDateFromDash | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") |chart sum(rowCount) over runDate and the most important if I select "File Count to ECS" , the query will be taskName='*ADP-ECS~*' status='COMPLETED'| sort -splunkLogId | dedup taskLogId | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$") | where startDateModified > newDateFromDash | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") | chart count over runDate here we are also changing the part of the query (i.e) for the other options we getting "|chart sum(rowCount) over runDate " but for here we want to only "chart count over runDate" I know we can do it by using tokens on dropdown change event, But is there any other way to do it, like using if condition or something simpler.Can anyone please help me to do it ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-13-2022 12:02 AM
Karma from
View All
Karma given to