Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vrmandadi
vrmandadi
Builder
Member since:
08-14-2015
03-06-2023
Community Statistics
| Posts | 624 |
| Solutions | 5 |
| Karma Given | 58 |
| Karma Received | 28 |
| Member Since | 08-14-2015 |
Activity Feed
- Got Karma for Re: "Other" in timechart. 01-13-2023 05:27 AM
- Posted Re: How to have different color for each bar in column chart? on Dashboards & Visualizations. 12-20-2022 10:21 AM
- Posted Re: Timechart to show only when values change for a particular field on Splunk Search. 12-16-2022 10:30 AM
- Posted How to have different color for each bar in column chart? on Dashboards & Visualizations. 12-16-2022 10:30 AM
- Karma Re: Timechart to show only when values change for a particular field for bowesmana. 12-16-2022 10:30 AM
- Posted How to create a timechart to show only when values change for a particular field? on Splunk Search. 12-12-2022 08:50 PM
- Posted Re: Can we delete the fishbucket for a specific index ? on Splunk Search. 12-08-2022 12:27 PM
- Posted Re: Can we delete the fishbucket for a specific index ? on Splunk Search. 12-08-2022 10:41 AM
- Posted Can we delete the fishbucket for a specific index ? on Splunk Search. 12-08-2022 08:07 AM
- Posted Re: How to compare a column with multiple columns in splunk and highlight the cell not matching with red on Splunk Search. 11-21-2022 08:48 AM
- Posted Re: How do you change the cell color based on partial value? on Dashboards & Visualizations. 11-21-2022 08:23 AM
- Posted How to compare a column with multiple columns in Splunk and highlight the cell not matching with red? on Dashboards & Visualizations. 11-21-2022 07:24 AM
- Posted Re: How to compare a column with multiple columns in splunk and highlight the cell not matching with red on Splunk Search. 11-18-2022 04:24 PM
- Posted How to compare a column with multiple columns in Splunk and highlight the cell not matching with red? on Splunk Search. 11-18-2022 08:27 AM
- Posted Re: How can I optimize my query ? on Splunk Search. 11-10-2022 08:41 AM
- Posted How can I optimize my query ? on Splunk Search. 11-09-2022 12:47 PM
- Posted Re: Compare csv and search and show results which are different from csv on Splunk Search. 11-04-2022 10:13 AM
- Posted Re: Compare csv and search and show results which are different from csv on Splunk Search. 11-04-2022 07:42 AM
- Posted How to compare csv and search and show results which are different from csv? on Splunk Search. 11-03-2022 06:41 PM
- Posted Re: How to get all events between two events? on Splunk Search. 10-26-2022 11:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-20-2022
10:21 AM
Thank you @bowesmana ..cheers
... View more
12-16-2022
10:30 AM
I am using the following query to get the results index=abc node=*
| chart latest(state) as state by node
| stats count by state
| sort - state Below is the column chart display of it.I want to display each state by a custom color I tried using the below line in xml but its not changing <option name="charting.fieldColors">{"Allocated":0x333333,"DOWN":0xd93f3c,"IDLE":0xf58f39,"Minor":0xf7bc38,"Notice" :0xeeeeee,"Healthy":0x65a637}</option>
... View more
12-12-2022
08:50 PM
Hello Splunkers ,
I want to know if we can create a timechart that will show only values when they change ..If there is a change in field value
Below is the timechart of events every minute
2022-12-12 20:41:00
IDLE
2022-12-12 20:40:00
ACTIVE
2022-12-12 20:39:00
FALSE
2022-12-12 20:38:00
FALSE
2022-12-12 20:37:00
FALSE
2022-12-12 20:36:00
TRUE
2022-12-12 20:35:00
TRUE
2022-12-12 20:34:00
TRUE
2022-12-12 20:33:00
TRUE
2022-12-12 20:31:00
NEGATIVE
2022-12-12 20:30:00
NEGATIVE
2022-12-12 20:29:00
NEGATIVE
2022-12-12 20:28:00
TRUE
I am looking for
2022-12-12 20:41:00
IDLE
2022-12-12 20:40:00
ACTIVE
2022-12-12 20:39:00
FALSE
2022-12-12 20:36:00
TRUE
2022-12-12 20:31:00
NEGATIVE
2022-12-12 20:28:00
TRUE
Thanks in advance!!
... View more
12-08-2022
12:27 PM
@richgalloway Thank you for your input . So are you suggesting to blacklist gzip files first so that it indexes unzipped files and then blacklist unzipped files so that zip files will be indexed?. monitor:///admin/logs/bac/syslog/syslog.log*] blacklist = .*/syslog\.log\.1\.gz$ disabled = 0 host = metrics-preos02 host_segment = 3 index = syslog-test1 sourcetype = syslog whitelist = .*/syslog\.log(|\.[0-9]+\.gz)$
... View more
12-08-2022
10:41 AM
@richgalloway Thank you for your response .. The reason I asked was I am having issue with data -re indexing .For that I have done the following steps Created a new index(previously it was syslog ..changed to syslog1) Created new data input ([monitor:///admin/logs/abc/syslog/syslog.log*] Reset the fishbucket entry for all those files After I enabled the input I see data coming in from syslog.log, syslog.log.25.gz, syslog.log.26.gz etc but few are missing I checked splunkd.log and saw these messages 12-08-2022 01:50:55.675 +0000 INFO ArchiveProcessor [180967 archivereader] - Handling file=/admin/logs/abc/syslog/syslog.log.2.gz 12-08-2022 01:50:55.676 +0000 INFO ArchiveProcessor [180967 archivereader] - record time older than bucket, reindexing path=/admin/logs/abc/syslog/syslog.log.2.gz 12-08-2022 01:50:55.676 +0000 INFO ArchiveProcessor [180967 archivereader] - reading path=/admin/logs/abc/syslog/syslog.log.2.gz (seek=0 len=579119) 12-08-2022 01:50:55.788 +0000 INFO ArchiveProcessor [180967 archivereader] - Archive with path="/admin/logs/abc/syslog/syslog.log.2.gz" was already indexed as a non-archive, skipping. 12-08-2022 01:50:55.790 +0000 INFO ArchiveProcessor [180967 archivereader] - Finished processing file '/admin/logs/abc/syslog/syslog.log.2.gz', removing from stats How to re-ingest
... View more
12-08-2022
08:07 AM
Hello Experts , I am trying to delete the fishbucket but I want to delete only one index=syslog..Is there a command I can run that only delete for a particular index Thanks in Advance
... View more
Labels
- Labels:
-
other
11-21-2022
08:48 AM
@yuanliu I was able to tweak the XML and was able to get the color the cell. <format type="color">
<colorPalette type="expression">if (like(value,"!!%")"#FFCCCB","#90EE90")</colorPalette>
</format>
... View more
11-21-2022
08:23 AM
@mayurr98 ...How do we change the field="field_value" if there like 50 values ..can we use like wild character like field="host*" ? <format type="color" field="field_value">
<colorPalette type="expression">if (like(value,"%online%"),"#FF5733","#247bc1")</colorPalette>
</format>
... View more
11-21-2022
07:24 AM
I am trying to compare a static column(Baseline) with multiple columns(hosts) and if there is a difference I need to highlight that cell in red Component BASELINE HOSTA HOSTB HOSTC GPU 20 20 5 7 GPU1 5 7 7 5 FW 2.4.2 2.4.2 2.4.2 2.4.3 IP 1.1.1.1 1.1.1.2 1.1.1.1 1.1.1.1 ID [234 , 336] [234 , 336] [134 , 336] [234 , 336] <form theme="dark">
<label>Preos Firmware Summary - Liquid Cooled</label>
<fieldset submitButton="false">
<input type="multiselect" token="tok_host" searchWhenChanged="true">
<label>Host</label>
<valueSuffix>,</valueSuffix>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>index=pre Type=Liquid_Cooled
| stats count by host
| dedup host</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<default>*</default>
<delimiter> </delimiter>
<choice value="*">All</choice>
</input>
<input type="multiselect" token="tok_component" searchWhenChanged="true">
<label>Component</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>Component</fieldForLabel>
<fieldForValue>Component</fieldForValue>
<search>
<query>index=pre Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW*
| rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<Component>[^\:]+)\:\s*(?<Hardware_Details>.*)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?<Hardware>[^.*]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?<Hardware1>[^\,]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?<Hardware2>[^ ]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?<Hardware3>[^ ]+)"
| rex field=_raw "VBIOS\:\s*(?<Hardware4>[^\,]+)"
| rex field=_raw "NVSW(\d\s|\s)FW\:\s*(?<Hardware5>(.*))"
| rex field=_raw "IB\s*HCA\sFW\:\s*(?<Hardware6>(.*))"
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6)
| replace BMC WITH "BMC and AUX" in Component
| search Component IN("*")
| stats latest(output) as output latest(_time) as _time by Component host
| fields - _time
| eval from="search"
| join Component
[| inputlookup FW_Tracking_Baseline.csv
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver"
| table Component Baseline
| eval from="lookup"
| rename Baseline as lookup_output
| fields lookup_output Component output]
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output
| replace 1 WITH "match" IN case
| replace 0 WITH "No match" IN case
| stats values(Component) as Component by host lookup_output case output
| stats count by Component
| dedup Component</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<valueSuffix>"</valueSuffix>
<delimiter> ,</delimiter>
<valuePrefix>"</valuePrefix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW*
| rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<Component>[^\:]+)\:\s*(?<Hardware_Details>.*)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?<Hardware>[^.*]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?<Hardware1>[^\,]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?<Hardware2>[^ ]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?<Hardware3>[^ ]+)"
| rex field=_raw "VBIOS\:\s*(?<Hardware4>[^\,]+)"
| rex field=_raw "NVSW\d\s*FW\:\s*(?<Hardware5>(.*))"
| rex field=_raw "IB\s*HCA\sFW\:\s*(?<Hardware6>(.*))"
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6)
| replace BMC WITH "BMC and AUX" in Component
| stats latest(output) as output latest(_time) as _time by Component host
| eval from="search"
| fields - _time
| chart values(output) by Component host limit=0
| fillnull value="No Data" | join Component
[ | inputlookup FW_Tracking_Baseline.csv
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver"
| table Component Baseline
| eval from="lookup"
| fields Baseline Component output]
| fields Component Baseline *
| fillnull value="No Data"</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<option name="count">50</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
Dashboard Studio
-
other
11-18-2022
04:24 PM
@yuanliu Thank you. for your reply.Sorry if my question was not clear.Yes I want to highlight the cell in RED when its different from the baseline value.Can you let me know what changes I need to make on my HTML
... View more
11-18-2022
08:27 AM
I am trying to compare a static column(Baseline) with multiple columns(hosts) and if there is a difference I need to highlight that cell in red
Component
BASELINE
HOSTA
HOSTB
HOSTC
GPU
20
20
5
7
GPU1
5
7
7
5
FW
2.4.2
2.4.2
2.4.2
2.4.3
IP
1.1.1.1
1.1.1.2
1.1.1.1
1.1.1.1
ID
[234 , 336]
[234 , 336]
[134 , 336]
[234 , 336]
<form theme="dark">
<label>Preos Firmware Summary - Liquid Cooled</label>
<fieldset submitButton="false">
<input type="multiselect" token="tok_host" searchWhenChanged="true">
<label>Host</label>
<valueSuffix>,</valueSuffix>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled
| stats count by host
| dedup host</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<default>*</default>
<delimiter> </delimiter>
<choice value="*">All</choice>
</input>
<input type="multiselect" token="tok_component" searchWhenChanged="true">
<label>Component</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>Component</fieldForLabel>
<fieldForValue>Component</fieldForValue>
<search>
<query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW*
| rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<Component>[^\:]+)\:\s*(?<Hardware_Details>.*)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?<Hardware>[^.*]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?<Hardware1>[^\,]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?<Hardware2>[^ ]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?<Hardware3>[^ ]+)"
| rex field=_raw "VBIOS\:\s*(?<Hardware4>[^\,]+)"
| rex field=_raw "NVSW(\d\s|\s)FW\:\s*(?<Hardware5>(.*))"
| rex field=_raw "IB\s*HCA\sFW\:\s*(?<Hardware6>(.*))"
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6)
| replace BMC WITH "BMC and AUX" in Component
| search Component IN("*")
| stats latest(output) as output latest(_time) as _time by Component host
| fields - _time
| eval from="search"
| join Component
[| inputlookup FW_Tracking_Baseline.csv
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver"
| table Component Baseline
| eval from="lookup"
| rename Baseline as lookup_output
| fields lookup_output Component output]
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output
| replace 1 WITH "match" IN case
| replace 0 WITH "No match" IN case
| stats values(Component) as Component by host lookup_output case output
| stats count by Component
| dedup Component</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<valueSuffix>"</valueSuffix>
<delimiter> ,</delimiter>
<valuePrefix>"</valuePrefix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW*
| rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<Component>[^\:]+)\:\s*(?<Hardware_Details>.*)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?<Hardware>[^.*]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?<Hardware1>[^\,]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?<Hardware2>[^ ]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?<Hardware3>[^ ]+)"
| rex field=_raw "VBIOS\:\s*(?<Hardware4>[^\,]+)"
| rex field=_raw "NVSW\d\s*FW\:\s*(?<Hardware5>(.*))"
| rex field=_raw "IB\s*HCA\sFW\:\s*(?<Hardware6>(.*))"
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6)
| replace BMC WITH "BMC and AUX" in Component
| stats latest(output) as output latest(_time) as _time by Component host
| eval from="search"
| fields - _time
| chart values(output) by Component host limit=0
| fillnull value="No Data" | join Component
[ | inputlookup FW_Tracking_Baseline.csv
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver"
| table Component Baseline
| eval from="lookup"
| fields Baseline Component output]
| fields Component Baseline *
| fillnull value="No Data"</query>
<earliest>-90d@d</earliest>
<latest>now</latest>
</search>
<option name="count">50</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Thanks in Advance
... View more
Labels
- Labels:
-
other
11-10-2022
08:41 AM
@bowesmana Thank you for you reply.I tried using multiple OR conditions and I was unable to get any results.Below is the search I used.I am kinda new to doing joins and complex commands.Can you please let me know the search how it should be. (index=syslog (process=*epilog* "*slurm-epilog: START user*") OR (process=*prolog* "*slurm-prolog: END user*") OR (index=syslog "Linux version") OR (index=syslog "NVRM: Xid*" process=kernel)
host IN (preos*)) OR
(index="slurm-jobs" nodelist=preos*)
| rex field=_raw "(?<epilog_start>[^ ]+)\-\d{2}\:\d{2}.*slurm\-epilog\:\s*START\suser\=(?<user>[^\s]+)\sjob\=(?<job_id>[^ ]+)"
| rex field=_raw "(?<prolog_end>[^ ]+)\-\d{2}\:\d{2}.*slurm\-prolog\:\s*END\suser\=(?<user>[^\s]+)\sjob\=(?<job_id_1>[^ ]+)"
| rex field=_raw "(?<reboot_time>[^ ]+)\-\d{2}\:\d{2}.*kernel:\s.*Linux\sversion"
| rex field=_raw "(?<kernel_xid>[^ ]+)\-\d{2}\:\d{2}.*NVRM\:\sXid\s*\(PCI\:(?<PCIe_Bus_Id>[^ ]+)\)\:\s*(?<Error_Code>[^ ]+)\,\spid\=(?<pid>[^ ]+)\,\s*name\=(?<name>[^ ]+)\,\s(?<Log_Message>.*)"
| eval job_id=coalesce(job_id, job_id_1)
| stats values(epilog_start) as epilog_start values(prolog_end) as prolog_end first(_time) as _time values(reboot_time) as reboot_time values(kernel_xid) as kernel_xid values(PCIe_Bus_Id) as PCIe_Bus_Id values(pid) as pid values(name) as name values(Error_Code) as Error_Code values(Log_Message) as Log_Message values(job_name) as job_name values(nodelist) as nodelist values(time_start) as time_start values(time_end) as time_end values(state) as state values(submit_line) as submit_line by host user job_id
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(prolog_end) as job_start
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(epilog_start) as epilog_start
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(reboot_time) as reboot_time
| eval diff_reboot = reboot_time - job_start
| eval reboot_time = if(diff_reboot<0, "", reboot_time)
| eval diff_reboot = if(diff_reboot<0, "", diff_reboot)
| eval job_end = if(epilog_start!="",epilog_start,if(diff_reboot>0,reboot_time,current_time))
| eval diff_reboot = if(diff_reboot!="",diff_reboot,10000000000)
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(kernel_xid) as xid_time
| eval diff = xid_time - job_start
| eval diff2 = job_end - xid_time
| search diff>0 AND diff2>0
| eval job_start = strftime(job_start,"%Y-%m-%d %H:%M:%S.%3N")
| eval job_end = if(job_end==current_time,"N/A",strftime(job_end,"%Y-%m-%d %H:%M:%S.%3N"))
| eval xid_time = strftime(xid_time,"%Y-%m-%d %H:%M:%S.%3N")
| eval current_time = strftime(current_time,"%Y-%m-%d %H:%M:%S.%3N")
| eval reboot_time = strftime(reboot_time,"%Y-%m-%d %H:%M:%S.%3N")
... View more
11-09-2022
12:47 PM
I have the following query with multiple joins and using max=0 which is not giving me all results as I think the size becomes more and its unable to take the load.How best can I optimize my query index=syslog (process=*epilog* "*slurm-epilog: START user*") OR (process=*prolog* "*slurm-prolog: END user*") host IN (preo*) timeformat="%Y-%m-%dT%H:%M:%S.%6N"
| rex field=_raw "(?<epilog_start>[^ ]+)\-\d{2}\:\d{2}.*slurm\-epilog\:\s*START\suser\=(?<user>[^\s]+)\sjob\=(?<job_id>[^ ]+)"
| rex field=_raw "(?<prolog_end>[^ ]+)\-\d{2}\:\d{2}.*slurm\-prolog\:\s*END\suser\=(?<user>[^\s]+)\sjob\=(?<job_id>[^ ]+)"
| stats values(epilog_start) as epilog_start values(prolog_end) as prolog_end first(_time) as _time by host user job_id
| search prolog_end!=""
| search user=*
| search job_id=*
| eval current_time = now()
| join host max=0 type=left
[
search index=syslog "Linux version" host IN (preos*)
| rex field=_raw "(?<reboot_time>[^ ]+)\-\d{2}\:\d{2}.*kernel:\s.*Linux\sversion"
| stats count by reboot_time host
]
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(prolog_end) as job_start
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(epilog_start) as epilog_start
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(reboot_time) as reboot_time
| eval diff_reboot = reboot_time - job_start
| eval reboot_time = if(diff_reboot<0, "", reboot_time)
| eval diff_reboot = if(diff_reboot<0, "", diff_reboot)
| eval job_end = if(epilog_start!="",epilog_start,if(diff_reboot>0,reboot_time,current_time))
| eval diff_reboot = if(diff_reboot!="",diff_reboot,10000000000)
| sort host user job_id prolog_end diff_reboot
| dedup host user job_id prolog_end
| join host max=0 type=left
[
search index=syslog (("NVRM: Xid*") process=kernel) host IN (preos*)
| rex field=_raw "(?<kernel_xid>[^ ]+)\-\d{2}\:\d{2}.*NVRM\:\sXid\s*\(PCI\:(?<PCIe_Bus_Id>[^ ]+)\)\:\s*(?<Error_Code>[^ ]+)\,\spid\=(?<pid>[^ ]+)\,\s*name\=(?<name>[^ ]+)\,\s(?<Log_Message>.*)"
| stats count by host kernel_xid PCIe_Bus_Id pid name Error_Code Log_Message
| search Error_Code="***"
]
| search kernel_xid!=""
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6N" mktime(kernel_xid) as xid_time
| eval diff = xid_time - job_start
| eval diff2 = job_end - xid_time
| search diff>0 AND diff2>0
| eval job_start = strftime(job_start,"%Y-%m-%d %H:%M:%S.%3N")
| eval job_end = if(job_end==current_time,"N/A",strftime(job_end,"%Y-%m-%d %H:%M:%S.%3N"))
| eval xid_time = strftime(xid_time,"%Y-%m-%d %H:%M:%S.%3N")
| eval current_time = strftime(current_time,"%Y-%m-%d %H:%M:%S.%3N")
| eval reboot_time = strftime(reboot_time,"%Y-%m-%d %H:%M:%S.%3N")
| join user job_id type=left
[ search index="slurm-jobs"
| stats count by job_id job_name user nodelist time_start time_end state submit_line
]
| eval _time=strptime(xid_time,"%Y-%m-%d %H:%M:%S.%3N")
| stats count by host user job_id job_start job_end xid_time Error_Code PCIe_Bus_Id pid name Log_Message job_name nodelist state submit_line
| dedup host Below are the sample logs Events First search 2022-11-08T14:59:53.134550-08:00 preos slurm-epilog: START user=abc job=62112 2022-11-08T14:58:25.101203-08:00 preos slurm-prolog: END user=abc job=62112 Subsearch after join events: 2022-11-09T12:49:51.395174-08:00 preos kernel: [ 0.000000] Linux version hjhc (buildd@lcy02-amd64-032) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #58-Ubuntu SMP Thu Oct 13 08:03:55 UTC 2022 (Ubuntu 5.15.0-52.58-generic 5.15.60) Events from second join: 2022-11-09T12:35:15.422001-08:00 preos kernel: [ 99.166912] NVRM: Xid (PCI:00:2:00): 95, pid='<unknown>', name=<unknown>, Uncontained: FBHUB. RST: Yes, D-RST: No Events from last join: 2022-11-09 20:50:02.000, mod_time="1668027082", job_id="62112", job_name="rfm_nvcp_bek_cd_job", user="abc", account="admin", partition="vi2", qos="all", resv="YES", timelimit_minutes="10", work_dir="/sbatch/logs/2022-11-09T11-30-39/preos/viking-hbm2/builtin/nvcomp_benchmark_cascaded", submit_line="sbatch rfm_nvcomp_benchmark_cascaded_job.sh", time_submit="2022-11-09 12:11:13", time_eligible="2022-11-09 12:11:13", time_start="2022-11-09 12:50:02", time_end="2022-11-09 12:51:22", state="COMPLETED", exit_code="0", nodes_alloc="1", nodelist="preos0093", submit_to_start_time="00:38:49", eligible_to_start_time="00:38:49", start_to_end_time="00:01:20" Thanks in Advance
... View more
11-04-2022
10:13 AM
This worked for me index=pr *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*"
| rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<Component>[^\:]+)\:\s*(?<Hardware_Details>.*)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?<Hardware>[^.*]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?<Hardware1>[^\,]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?<Hardware2>[^ ]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?<Hardware3>[^ ]+)"
| rex field=_raw "VBIOS\:\s*(?<Hardware4>[^\,]+)"
| eval output = mvappend(Hardware, Hardware1,Hardware2,Hardware3,Hardware4)
| replace BMC WITH "BMC and AUX" in Component
| stats latest(output) as output latest(_time) as _time by Component host
| sort Component
| fields - _time
| eval from="search"
| join Component
[| inputlookup component.csv
| table Component output
| eval from="lookup"
| rename output as lookup_output
| fields lookup_output Component output]
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output
| replace 1 WITH "match" IN case
| replace 0 WITH "No match" IN case
| sort case | stats values(Component) as Component by host lookup_output case output
| search case!=match
| fields host Component output lookup_output
| sort - Component
... View more
11-04-2022
07:42 AM
@bowesmana Thank you for your reply .Does this search looks for the latest component and output values of each host and compare with the csv or it checks all the older values..I am trying to match the latest values of each host with the lookup
... View more
11-03-2022
06:41 PM
Hello Splunkers ,
I am using the following search which outputs the following fields host ,Component and output and then it compares with a lookup file (below) which has fields Component and output .I filter the results by using | |where mvcount(from)=1 AND from="search" and I get correct results(attached screenshot) but i want to add another column from lookup to show what is in lookup and what is different in search .For instance in the attached screenshot for GPU0 the output value is 96.00.2F.00.06 which is different in lookup...I want to show the output value for that GPU0 of the lookup beside the output column
Components
output
BMC and AUX
22.10 0x12
CPLD
00 00 46
SBIOS version
0.2
nvme9
EPK9CB5Q
nvme8
EPK9CB5Q
nvme7
EPK9CB5Q
nvme6
EPK9CB5Q
nvme5
EPK9CB5Q
nvme4
EPK9CB5Q
nvme3
EPK9CB5Q
nvme2
EPK9CB5Q
nvme1
EPK9CB5Q
nvme0
EPK9CB5Q
GPU0
96.00.39.00.08
GPU1
96.00.39.00.08
GPU2
96.00.39.00.08
GPU3
96.00.39.00.08
GPU4
96.00.39.00.08
GPU5
96.00.39.00.08
GPU6
96.00.39.00.08
GPU7
96.00.39.00.08
index=preos host IN(*) *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" host=*
| rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<Component>[^\:]+)\:\s*(?<Hardware_Details>.*)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?<Hardware>[^.*]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?<Hardware1>[^\,]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?<Hardware2>[^ ]+)"
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?<Hardware3>[^ ]+)"
| rex field=_raw "VBIOS\:\s*(?<Hardware4>[^\,]+)"
| eval output = mvappend(Hardware, Hardware1,Hardware2,Hardware3,Hardware4)
| replace BMC WITH "BMC and AUX" in Component
| table Component output host _time
| sort Component
| dedup Component
| fields - _time | eval from="search"
| append [| inputlookup component.csv
| table Component output
| eval from="lookup"]
| stats values(from) as from values(host) as host by Component output
| where mvcount(from)=1 AND from="search"
... View more
10-26-2022
11:21 AM
Yes I only see two events per transaction which has start and end but dont see any events like below 2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598). 2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598). 2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main,
... View more
10-26-2022
09:50 AM
I dont have specific identifier to match it...But I am looking get all the events between them and then a calculation on them
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-06-2023
02:14 PM
|
Karma from
