Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Vigneshprasanna
Vigneshprasanna
Explorer
Member since:
05-22-2018
06-05-2020
Community Statistics
| Posts | 29 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 05-22-2018 |
Activity Feed
- Karma Re: Regex data parsing using Delimiter comma "has exceeded the configured depth_limit, consider raising the value in limits.conf." ? for FrankVl. 06-05-2020 12:49 AM
- Karma Re: How to write a search using my sample test data to get the expected table of results? for niketn. 06-05-2020 12:49 AM
- Karma Re: Drill Down Dashboard Design for poete. 06-05-2020 12:49 AM
- Karma Re: splunk query for Lamar. 06-05-2020 12:46 AM
- Posted Splunk Query On Selecting The Range Of Vales For dashboard on Splunk Search. 06-14-2018 04:48 AM
- Tagged Splunk Query On Selecting The Range Of Vales For dashboard on Splunk Search. 06-14-2018 04:48 AM
- Tagged Splunk Query On Selecting The Range Of Vales For dashboard on Splunk Search. 06-14-2018 04:48 AM
- Tagged Splunk Query On Selecting The Range Of Vales For dashboard on Splunk Search. 06-14-2018 04:48 AM
- Posted Re: Splunk Query on All Apps and Add-ons. 06-13-2018 05:49 PM
- Posted Re: Time format on Getting Data In. 06-13-2018 02:44 AM
- Posted Re: Splunk Query on All Apps and Add-ons. 06-13-2018 02:30 AM
- Posted Re: Time format on Getting Data In. 06-12-2018 06:00 PM
- Posted Re: Splunk Query on All Apps and Add-ons. 06-12-2018 05:55 PM
- Posted Time format on Getting Data In. 06-12-2018 11:01 AM
- Tagged Time format on Getting Data In. 06-12-2018 11:01 AM
- Tagged Time format on Getting Data In. 06-12-2018 11:01 AM
- Posted Re: Splunk Query on All Apps and Add-ons. 06-12-2018 10:32 AM
- Posted Re: Loop to select a Range of values and display. on Splunk Search. 06-12-2018 07:33 AM
- Posted Re: Loop to select a Range of values and display. on Splunk Search. 06-11-2018 02:27 AM
- Posted Re: Loop to select a Range of values and display. on Splunk Search. 06-09-2018 11:25 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-14-2018
04:48 AM
Hi Team,
Would like to design the query for the below requirement where we wanted to capture 2 dash boards as below for the information we have as logs (refer test data in this attachment which is the sample log data)
Dash board1 – To get details of the logs based on the field Thread_number and Application_MSG having APP Request (which is part of my incoming log data). This is designed already.
Timestamp1 – Combination of Thread_number and Application_MSG having APP Request occurnace
Timestamp2 - Combination of Thread_number and Application_MSG having APP Request next occurance and to be continued for each occurrence
Dash board2 – This is a drill down dashboard from Dashboard1 which has to return the list of lines between the rows displayed in Dashboard1
Test Data :
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation1 ]
2018-05-14 14:25:00,108 INFO com.777 Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:10,189 INFO com.777 Listing exeuction. Took 32 ms.
2018-05-14 14:25:12,109 INFO com.777 Query processed.
2018-05-14 14:25:13,112 INFO com.777 Query processed.
2018-05-14 14:25:14,053 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation2 ]
2018-05-14 14:25:13,124 INFO com.777 Response processed.
Fields
AUDIT_TIME, LOGGING_PRIORITY, LOG_LEVEL, CONNECTION_FACTOR ,THREAD_NUMBER ,,AUDIT_DATA
Regular Expression
^(?P<AUDIT_TIME>[^,]+)[^,\n]*,(?P<LOGGING_PRIORITY>\d+)\s+(?P<LOG_LEVEL>\w+)\s+(?P<CONNECTION_FACTIRY>[^ ]+)\s+(?P<THREAD_NUMBER>[^ ]+)\s+(?P<AUDIT_DATA>.+)
AUDIT_TIME: 2018-05-14 14:25:00
Logging_Priority : 331
Log_Level : INFO
Connection_factory : [STDOUT]
Thread_Number : (http-123.123.123-800-8)
AUDIT_TIME: 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation1 ]
Dashbaord1 shows
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation1 ]
2018-05-14 14:25:14,093 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation2 ]
Expected output in dash board2
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation1 ]
2018-05-14 14:25:00,108 INFO com.777 Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:10,108 INFO com.777 Listing exeuction. Took 32 ms.
2018-05-14 14:25:12,108 INFO com.777 Query processed.
2018-05-14 14:25:13,108 INFO com.777 Query processed.
2018-05-14 14:25:14,093 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation2 ]
2018-05-14 14:25:13,108 INFO com.777 Response processed.
In the above data we have mapped THREAD_NUMBER: http-123.123.123-800-8 as value A and AUDIT_DATA: "APP Request" as value B
So now I’m trying to print the below events as they are the values between the same combination values of A & B (i.e. THREAD_NUMBER: http-123.123.123-800-8 & AUDIT_DATA: "APP Request")
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxx] INFO - APP Request [ RequestInformation1 ]
2018-05-14 14:25:00,108 INFO com.777 Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:10,108 INFO com.777 Listing exeuction. Took 32 ms.
2018-05-14 14:25:12,108 INFO com.777 Query processed.
2018-05-14 14:25:13,108 INFO com.777 Query processed.
... View more
06-13-2018
02:44 AM
Hi @PowerPacked and @sukisen1981
I'm going wrong somewhere 😞 can you please check and correct me i have modified the query and tried for my case but its not working 😞
this is my sample data
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00 -> i wanna pass this part as the input for the tag $earliest$
<earliest>$earliest$</earliest>
... View more
06-13-2018
02:30 AM
Hi cpetterborg ,
Hope the below info can help us to understand
for the below sample data
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ eq.SELECT,,***********//DTA,AA.AA.AA.AAAA,@ID:EQ=DTA ]
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.beans.xxxxxxxBean Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet
2018-05-14 14:25:00,171 INFO STDOUT 14:25:00,171 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ ,," 123145353" ]
2018-05-14 14:25:00,296 WARN org.apache.tomcat.util.http.Parameters Parameters: Invalid chunk ignored.
2018-05-14 14:25:00,311 WARN org.apache.tomcat.util.http.Parameters Parameters: Invalid chunk ignored.
and the above sample data is parses as
Fields
AUDIT_TIME,LOGGING_PRIORITY,LOG_LEVEL,THREAD_NUMBER ,CONNECTION_FACTOR,AUDIT_DATA
Regular Expression
^(?P[^,]+)[^,\n]*,(?P\d+)\s+(?P\w+)\s+(?P[^ ]+)\s+(?P[^ ]+)\s+(?P.+)
In the above data i have mapped THREADNUMBER :"http-xxxxxx%xx.123.123.123-800-8" As value A and AUDIT_DATA: "APP Request" as value B
so now im trying to print the below events as they are the values between the same values combinationa of A & B
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ eq.SELECT,,***********//DTA,AA.AA.AA.AAAA,@ID:EQ=DTA ]
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.beans.xxxxxxxBean Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet
... View more
06-12-2018
06:00 PM
Hi @sukisen1981
i wanna pass the AUDIT_TIME in
Jboss Drilldown
<panel>
<table>
<title>Dynamic drilldown Jboss Request/Response</title>
<search>
<query> **Query that will return AUDIT_TIME** </query>
**<earliest>$earliest$</earliest>** - **should pass the audit time here**
<latest>$latest$</latest>
</search>
</table>
</panel>
This is jest an example snippit may have some more errors too hope this helps us to understand where we have to pass the AUDIT_TIME..
Thanks for the support in advance.
Regards,
Vigneshprasanna R
... View more
06-12-2018
05:55 PM
Hi @cpetterborg
the above i have provided was jest a sample info, for better understanding i have added some details below hope this will help us .
or the below sample data
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ eq.SELECT,,***********//DTA,AA.AA.AA.AAAA,@ID:EQ=DTA ]
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.beans.xxxxxxxBean Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet
2018-05-14 14:25:00,171 INFO STDOUT 14:25:00,171 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ ,," 123145353" ]
2018-05-14 14:25:00,296 WARN org.apache.tomcat.util.http.Parameters Parameters: Invalid chunk ignored.
2018-05-14 14:25:00,311 WARN org.apache.tomcat.util.http.Parameters Parameters: Invalid chunk ignored.
and the above sample data is parses as
Fields
AUDIT_TIME,LOGGING_PRIORITY,LOG_LEVEL,THREAD_NUMBER ,CONNECTION_FACTOR,AUDIT_DATA
Regular Expression
^(?P[^,]+),(?P\d+)\s+(?P\w+)\s+(?P[^ ]+)\s+(?P[^ ]+)\s(?P.+)
In the above data i have mapped THREADNUMBER :"http-xxxxxx%xx.123.123.123-800-8" As value A and AUDIT_DATA: "APP Request" as value B
so now im trying to print the below events as they are the values between the same values combinationa of A & B
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ eq.SELECT,,***********//DTA,AA.AA.AA.AAAA,@ID:EQ=DTA ]
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.beans.xxxxxxxBean Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet
Regards,
Vigneshprasanna R
... View more
06-12-2018
11:01 AM
Hi Mates,
i get output of a query as below, i would like to pass the output of this query to the of my code but the is not supporting the time format generated by the query so please help in changing the time format
output = AUDIT_TIME="2018-06-05 21:00:02"
Query :
index="jboss" AUDIT_DATA="XXXXX" AND AUDIT_DATA=""XXXX8"" AUDIT_TIME>="2018-06-05 21:00:00" | table AUDIT_TIME | sort AUDIT_TIME | uniq | sort 2 AUDIT_TIME | reverse | return AUDIT_TIME
i wanna pass this output value AUDIT_TIME in
... View more
06-12-2018
07:33 AM
@niketn
For the below set of sample data i have modified your query, i dont know where i went wrong im not getting the output 😞
please correct me where im wrong
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ eq.SELECT,,***********//DTA,AA.AA.AA.AAAA,@ID:EQ=DTA ]
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.beans.xxxxxxxBean Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet
2018-05-14 14:25:00,171 INFO STDOUT 14:25:00,171 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ ,," 123145353" ]
2018-05-14 14:25:00,296 WARN org.apache.tomcat.util.http.Parameters Parameters: Invalid chunk ignored.
2018-05-14 14:25:00,311 WARN org.apache.tomcat.util.http.Parameters Parameters: Invalid chunk ignored.
and the above sample data is parses as
Fields
AUDIT_TIME,LOGGING_PRIORITY,LOG_LEVEL,THREAD_NUMBER ,CONNECTION_FACTOR,AUDIT_DATA
Regular Expression
^(?P[^,]+),(?P\d+)\s+(?P\w+)\s+(?P[^ ]+)\s+(?P[^ ]+)\s(?P.+)
In the above data i have mapped THREADNUMBER :"http-xxxxxx%xx.123.123.123-800-8" As value A and AUDIT_DATA: "APP Request" as value B
so now im trying to print the below events as they are the values between the same values combinationa of A & B
2018-05-14 14:25:00,093 INFO STDOUT 14:25:00,093 [com.xxxxxxx.xxx.conn.aoo.invok] INFO - APP Request [ eq.SELECT,,***********//DTA,AA.AA.AA.AAAA,@ID:EQ=DTA ]
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.beans.xxxxxxxBean Transform - Completed server response transform. Took 31 ms.
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet
the query i tried
| gentimes start=01/01/01
| eval _time=starttime
| fields _time
| reverse
| appendcols
[| makeresults index="jboss" THREAD_NUMBER=* | fields - _time | mvexpand ValueA ]
| appendcols
[| makeresults index="jboss" AUDIT_DATA="- Request" | fields - _time | mvexpand ValueB ]
| search ValueA="" ValueB=""
| dedup ValueA ValueB
| eval Time=_time
| map search="
| gentimes start=01/01/01
| eval _time=starttime
| fields _time
| reverse
| appendcols
[| makeresults index="jboss" THREAD_NUMBER=* | fields - _time | mvexpand ValueA ]
| appendcols
[| makeresults index="jboss" AUDIT_DATA="- Request" | fields - _time | mvexpand ValueB ]
| eval selectedTime=$Time$
| eval originalTime=_time
| where originalTime>=selectedTime
| streamstats count by ValueA ValueB reset_before="ValueA="" AND ValueB="""
| stats dc(ValueA) as countValues list(ValueA) as ValueA list(ValueB) as ValueB by count
| search countValues>1
"
this query is not returning me any data 😞
Regards,
Vigneshprasanna R
... View more
06-11-2018
02:27 AM
@niketn a small clarification if suppose i have AUDIT_TIME "24/4/17 12.00" with the value A=-10 and value B=bag and AUDIT_TIME with next value of A=-10 and value B=bag is 24/4/17 12.30
is it possible to get the values between the AUDIT_TIME 24/4/17 12.00 and 24/4/17 12.30 sequentially ??
hopefully this should also return the same value we are looking for ..
like
24/4/17 12.10 -10 bag,
24/4/17 12.15 -13 ball,
24/4/17 12.20 -11 request
Thanks for the great support 🙂
Regards,
Vigneshprasanna R
... View more
06-09-2018
11:25 PM
@niketnilay,
Ya your understanding is perfectly correct, it has to display one set when i choose the couple of value A and B
if it is A= -10 and B = bag it will display
-10 bag, -13 ball, -11 request
Thanks in advance, for the support
Regards,
Vigneshprasanna R
... View more
06-09-2018
06:18 PM
@Nikentnilay
your understanding is correct 🙂 that's what i really want.
if the value A=-10 and value B=bag it should return
-10 bag,
-13 ball,
-11 request
if there is a third match of value A=-11 and Value B="request" it should return as below
-11 request
-10 bag
so at the end the data will be like sets
1st set for the match -11 & "request " will be
-11 request
-10 bag
-13 ball
2nd set for the match -11 & "request " will be
-11 request
-10 bag
so on it will go ..............
when we click on the set one it should display all the values of the set 1 as above same way with set 2 etc ..
can you please help me in designing the query
thanks for the support in advance 🙂
Regards,
Vigneshprasanna R
... View more
06-09-2018
02:03 AM
Hi Team,
I am trying to design a query here, i have a list of vales as below
the requirement is that i wanna all the values that are in between same combination of A & B
for example if "value A"="-11" & "Value B"="request" then the query should check for the same values if it finds A=-11 and B= request the loop should exit and display the O/p as below
-11 request - (should display the 1st combination )
-10 bag
-13 ball
so can any one help me designing a query for the above case
Regards,
Vigneshprasanna R
... View more
06-07-2018
11:27 AM
Hi Niketnilay,
Do you have any idea on the issue " https://answers.splunk.com/answers/663602/splunk-query-5.html " this is related to the same log type .
... View more
06-07-2018
11:24 AM
Sorry for the delay and thanks a lot Niketnilay 🙂 your response helped me a lot 🙂
... View more
06-07-2018
07:11 AM
Hi Team,
I wanna design a Line Chart that gives me the count of request that has hit my server with time as base.
Test data :
2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request aDasdADSAdsaDSADASDA asdaSD ID_01SDFBH ASDASDASDDAdASSDa //-1/NO,RULE.ID:1:1=below minimum value (0)
2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request aldisjba;sdjba;ojds;ajn;kc a;ojcn;ajc;ajobnc;ooajb;ojjaw;jbb;
The above data is parsed in the below format and has brought inside the splunk
Data Parsing Formate:
Timestamp : 2017-08-08
Time : 22:38:24
Logging_Priority : 331
Log_Level : INFO
Connection_factory : [XYZXYZ]
Thread_Number : (httpXYSGHFA 10.100.1234.12-1234-81)
Application_Message : 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
With the field "Time" in the X axis and Y axis by counting the string "Request" & "Response" in the application Message i need to draw a graph exactly as shown below
please help me with the query.
Regards,
Vigneshprasanna R
... View more
06-06-2018
09:08 AM
Hi Rich,
Im pulling in the log data from an application log folder, and have already extracted in the above given "Data Parsing Formate: "
For better understanding im providing a log and its regx
Log :
This shows you one request and response
2018-05-14 14:00:00,204 INFO STDOUT 14:00:00,204 [domain:name:application:invoke] INFO - APP Request [ app.ico.SELECT,,***********//TN599qerqi839,RT1.call.ads,@ID:EQ=TN599qerqi839 ]
2018-05-14 14:00:00,236 INFO STDOUT 14:00:00,236 [domain:name:application:invoke] INFO - APP Response [ ,," 20171214" ]
Regax :
^(?P[^,]+)[^,\n]*,(?P\d+)\s+(?P\w+)\s+(?P[^ ]+)\s+(?P[^ ]+)\s+(?P.+)
The data is not coming from a spreed sheet its from a .log file we generally open it in note pad.
Yes, its a folw from a dashboard to drill down.
Application MSG is a field that is not defined properly that contains the data generated by the application , as we are not maintaining the session id we are not able to tract the request and response of a specific request so the idea is that the thread number generated at the time of request will flow until the response or error is thrown, using this i know the value customer ID i will use it to get the logs having the customer id and "- APP Request "
for example if i want session logs of id 1445
i will search for index=* Application_MSG ="1445" and " - APP Request"
so the above query will list me the logs contains index=* Application_MSG ="1445" and " - APP Request"
from the logs i need to take the thread ID and have a drop down
in that drop down if i select an thread number (for example if im selecting : http-Applicationserver%10.10.10.100.100-8080-5) it should return all the logs between this thread number and the next occurrence of the same thread number thread number & " - APP Request"(for the above example it will be like i should list the logs in between the until i get the next log having the same thread number "http-Applicationserver%10.10.10.100.100-8080-5" & "- APP Request " )
to term it simple i should list all the logs in between log congaing thread number "http-Applicationserver%10.10.10.100.100-8080-5 " & "- APP Request" to "http-Applicationserver%10.10.10.100.100-8080-5 " & "- APP Request"
for selecting the thread number "http-Applicationserver%10.10.10.100.100-8080-5" only we are using some ID in the application MSG "1445"(this can vary)
... View more
06-06-2018
02:48 AM
Hi Team,
I have a challenge here, i totally have no idea to design this query, Please help in doing this.
Test Data :
Line Number 1 => 2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request [ ID_01SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 2 => 2017-08-08 22:39:45,331 WARN XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request [ ID_02SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 3 => 2017-08-08 22:42:57,331 ERROR XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] [ ID_34SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 4 => 2017-08-08 22:48:24,331 SEVIER XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] [ ID_23SDFBH//1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 5 => 2017-08-08 22:55:23,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] [ //-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 6 => 2017-08-08 22:58:32,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request [ ID_32SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 7 => 2017-08-08 23:01:42,331 ERROR XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request [ ID_01SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 8 => 2017-08-08 22:38:34,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Request [ ID_02SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Line Number 9 => 2017-08-08 22:38:25,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_23SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Data Parsing Formate:
Timestamp : 2017-08-08 22:38:24
Logging_Priority : 331
Log_Level : INFO
Connection_factory : [XYZXYZ]
Thread_Number : (httpXYSGHFA 10.100.1234.12-1234-81)
Application_Message : 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
In the Above set of test data, i wanna write a query in the way it should meet the following needs
Case 1:
If we are searching for the CUS_ID = ID_01SDFBH (This id will be in the 1st line of the test data in the Application_Message field)
Splunk should take the the thread number (here it should take "httpXYSGHFA 10.100.1234.12-1234-81" & "httpXYSGHFA 10.100.1234.12-1234-33")
Example Using Test Data
Here the splink should display the Thread Number's in line Number 1 & 7 because as the log line contain the Search test which is CUS_ID = ID_01SDFBH
Case 2:
When I choose the thread ID "httpXYSGHFA 10.100.1234.12-1234-81" splunk should return the log lines between the next occurrence of the (Same Thread Number)"httpXYSGHFA 10.100.1234.12-1234-81" & String "APP Request"
Example Using Test Data
Here the splunk should display from the Line 1 to Line 5 as the line 1 has the CUS_ID = ID_01SDFBH + "APP Request" + Thread Number="httpXYSGHFA 10.100.1234.12-1234-81", And ends at the line 5 as the line 6 has Same Threads Number "httpXYSGHFA 10.100.1234.12-1234-81" & "APP Request"
... View more
06-04-2018
10:10 AM
Hi Team,
I'm Facing issue in designing a query for the following requirement :
Sample data :
Test data :
2017-08-08 22:38:24,331 **INFO** [XYZXYZ] (httpXYSGHFA 10.100.1234.12-1234-1234) 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH/NO,RULE.ID:1:1=below minimum value (0) ]
2017-08-08 22:38:24,331 **ERROR** [XYZXYZ] (httpXYSGHFA 10.100.1234.12-1234-1234) 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBADRFNO,RULE.ID:1:1=below minimum value (0) ]
2017-08-08 22:38:24,332 **WARN** [XYZXYZ] (httpXYSGHFA 10.100.1234.12-1234-1234) 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
2017-08-08 22:38:24,333 **INFO** [XYZXYZ] (httpXYSGHFA 10.100.1234.12-1234-1234) 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
2017-08-08 22:38:24,334 **SEVER** [XYZXYZ] (httpXYSGHFA 10.100.1234.12-1234-1234) 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
PARSING THE ABOVE LOG (SAMPLE) :
**Timestamp :** 2017-08-08 22:38:24,331
**Log_Level :** INFO
**Connection_factory :** [XYZXYZ]
**Thread_Number :**(httpXYSGHFA 10.100.1234.12-1234-1234)
**Application_Message :** 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
Exported Result
I tried plenty of formats in the query, please help to design the query to meet the needs.
Regards,
Vigneshprasanna R
... View more
06-04-2018
04:07 AM
Hi Poete,
Thanks for the effort 🙂 that was really helpful, I have a small doubt in this as i'm new to splunk.
Test data :
2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
The above message is parsed as follows :
Timestamp : 2017-08-08 22:38:24,331
Log_Level : INFO
Connection_factory : [XYZXYZ]
Thread_Number :(httpXYSGHFA 10.100.1234.12-1234-1234)
Application_Message : 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
what i need is if you see the application msg it has a value "/-1/" it means the log is not done with its request so i should change the log level into ERROR while displaying the Splunk dashboard even though the log is with INFO log level
My Current Query in the dashboard :
index=* AND LOG_LEVEL=* AND APPLICATION_MSG=*| table AUDIT_TIME LOG_LEVEL AUDIT_DATA
what should i add to this query
Regards,
Vigneshprasanna R
... View more
06-04-2018
12:23 AM
Hi Poete,
Thanks for the effort 🙂 that was really helpful, I have a small doubt in this as i'm new to splunk.
Test data :
2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
The above message is parsed as follows :
Timestamp : 2017-08-08 22:38:24,331
Log_Level : INFO
Connection_factory : [XYZXYZ]
Thread_Number :(httpXYSGHFA 10.100.1234.12-1234-1234)
Application_Message : 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]
what i need is if you see the application msg it has a value "/-1/" it means the log is not done with its request so i should change the log level into ERROR while displaying the Splunk dashboard even though the log is with INFO log level
My Current Query in the dashboard :
index=* AND LOG_LEVEL=* AND APPLICATION_MSG=*| table AUDIT_TIME LOG_LEVEL AUDIT_DATA
what should i add to this query
Regards,
Vigneshprasanna R
... View more
06-03-2018
11:10 PM
Hi Richgalloway,
Thanks for the effort 🙂 can you please help me in understanding the changes i need to do in the "PROPS.CONF" file ??
Regards,
Vigneshprasanna R
... View more
06-02-2018
09:07 AM
Hi Team,
I’m struck in parsing the data, please advise how to handle the data.
In the log of an application a particular filed is alone containing huge data, so the lines are broken into new lines, so the splunk is also considering every single new lines as a new event
Sample data :
Please have a look in the image i have attached for sample data as it contains tags i'm not able to post here.
The above data is comma separated data and its field names are :
AUD_SEQ_NO PACKAGE_NAME SERVICE_NAME AUDIT_TIME EVENT_NAME SHORT_TEXT LONG_TEXT AUDIT_DATA CONSUMER_ID MESSAGE_ID CONTEXT_ID USER_NAME USER_ID USER_CONTEXT COMPANY_ID VERSION SESSION_ID CHANNEL_ID BUSINESSUNIT_ID SERVER_NAME
I have added a snap for better understanding.
... View more
06-02-2018
07:58 AM
Hi Frank,
Added to the above query, i would like to know about the limit.conf file you have shared me before, the file you have shared and the file i'm having in the splunk has the same values. So can you please advice me that which value i should change to increase the limit of regex in the system.
Regards,
Vigneshprasanna R
... View more
06-02-2018
07:51 AM
Hi Frank,
Once Again Thanks for the effort, Ya i added the data to the splunk and went to a log and used the option of "Extract Fields" with there i got two options to extract the fields they are "Delimiter " & "Regular" i tried both but ended up with the error i have posted above.
I'm new to splunk, so i have a some more doubts in .conf files, can you please guide me where i should create this .conf files you have added in the previous answer ??
And one more doubt is that i have many types of log in my system how to specify that this conf is for a specific index type ??
Thanks & Regards,
Vigneshprasanna R
... View more
