Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About slipinski
slipinski
Loves-to-Learn Lots
Member since:
07-10-2018
03-15-2021
Community Statistics
| Posts | 24 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-10-2018 |
Activity Feed
- Posted Re: How to split access.log data on Getting Data In. 03-09-2021 06:29 AM
- Posted How to split access.log data on Getting Data In. 03-03-2021 05:31 AM
- Tagged How to split access.log data on Getting Data In. 03-03-2021 05:31 AM
- Tagged How to split access.log data on Getting Data In. 03-03-2021 05:31 AM
- Posted SNMP polling get data of OID in Splunk cloud instance on All Apps and Add-ons. 01-12-2021 01:00 PM
- Tagged SNMP polling get data of OID in Splunk cloud instance on All Apps and Add-ons. 01-12-2021 01:00 PM
- Tagged SNMP polling get data of OID in Splunk cloud instance on All Apps and Add-ons. 01-12-2021 01:00 PM
- Posted Re: Issue with parsing Json data on Getting Data In. 11-30-2020 11:12 PM
- Posted Issue with parsing Json data on Getting Data In. 11-30-2020 01:46 PM
- Posted Re: How to display count from last week and avg from last month on one timechart on Splunk Search. 05-20-2020 01:24 AM
- Posted Re: How to display count from last week and avg from last month on one timechart on Splunk Search. 05-18-2020 01:37 PM
- Posted Re: How to display count from last week and avg from last month on one timechart on Splunk Search. 05-18-2020 06:56 AM
- Posted How to display count from last week and avg from last month on one timechart on Splunk Search. 05-18-2020 02:29 AM
- Tagged How to display count from last week and avg from last month on one timechart on Splunk Search. 05-18-2020 02:29 AM
- Tagged How to display count from last week and avg from last month on one timechart on Splunk Search. 05-18-2020 02:29 AM
- Posted Re: eval round on Splunk Search. 05-11-2020 02:23 AM
- Posted Re: eval round on Splunk Search. 05-11-2020 02:08 AM
- Posted eval round on Splunk Search. 05-11-2020 01:40 AM
- Tagged eval round on Splunk Search. 05-11-2020 01:40 AM
- Tagged eval round on Splunk Search. 05-11-2020 01:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-09-2021
06:29 AM
Hi manjunathmeti, Thanks for your effort. Your query extracts field1 correctly, but field2 is empty. No idea why.
... View more
03-03-2021
05:31 AM
Hello Splunkers, I've got a problem with data splitting. I would like to split data into separate lines. Please take a look at my data: 10.62.19.11 - - [03/Mar/2021:12:49:02 +0100] "POST /api/setModernServices HTTP/1.1" 200 1315 0.154 0.148 "http://10.69.10.170/radio/web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" "{header:{id:0},data:{entries:[{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.33,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.3,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.39,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.7,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.39,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.18,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.39,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.8,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.39,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.21,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.30,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.57,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.20,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.39,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.29,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.41,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.23,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.42,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.43,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.24,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.44,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.39,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true}},{scheduleInfo:{type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition\x I want to have data split like below: 10.62.19.11 - - [03/Mar/2021:12:49:02 +0100] type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.33,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.58,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true
10.62.19.11 - - [03/Mar/2021:12:49:02 +0100]
type:once,startTimestamp:1614772142364,endTimestamp:8999999999000},serviceDefinition:{descriptor:{label:,desc:},dests:[{destId:virtual.46.0.3,destName:}],groupOrder:1,profileId:7637a321-8628-47d3-92e8-5fd85b54aa6b,skipReuseJoinId:true,routing:p2mp,srcId:virtual.96.0.39,tags:[LastOnAirId:null,EmerOnAirId:null],type:connection,force:true I suppose I need to use mvexpand in combination with static regex, but I cannot find correct formula. Could you help please.
... View more
Labels
- Labels:
-
field extraction
01-12-2021
01:00 PM
Hello, Is there any possibility to pool SNMP data in cloud environment? Can I use UF to make a queries for particular OID? Do I need to run SNMP Modular input add-on on UF? thanks in advance, Szymon
... View more
Labels
- Labels:
-
configuration
-
installation
-
troubleshooting
11-30-2020
11:12 PM
I would rather use index-time parsing. Honestly speaking I'm not very familiar with "spath" command. Could it help with parsing, even though line _breaker isn't correct?
... View more
11-30-2020
01:46 PM
Hello Splunkers, I'm facing problem with correct parsing json data. Splunk correctly recognizes data as json sourced, but with default settings, it cannot parse data correctly. It creates fields like: 3b629fbf-be6c-4806-8ceb-1e2b196b6277.currentUtilisation or device31.1.127.out::device54.1.87.in.currentUtilisation. As the main field is irregular I don't know how to set line_breaker which is the most likely main cause of the problem. Can I count on your help? A chunk of the input file is below. {
"device31.1.127.out::device54.1.87.in": {
"currentUtilisation": 0.0,
"enabled": true,
"from": "device31.1.127.out",
"hasBookings": false,
"id": "device31.1.127.out::device54.1.87.in",
"isActive": false,
"name": "Adam",
"props": {
"bandwidth": 90000.0,
"conflictPri": 1,
"description": ""
},
"to": "device54.1.87.in",
"usage": {
"bookings": [],
"id": "device31.1.127.out::device54.1.87.in"
}
},
"device49.1.117.out::device34.1.69.in": {
"currentUtilisation": 0.0,
"enabled": true,
"from": "device49.1.117.out",
"hasBookings": false,
"id": "device49.1.117.out::device34.1.69.in",
"isActive": false,
"name": "Barek",
"props": {
"bandwidth": 90000.0,
"conflictPri": 1,
"description": ""
},
"to": "device34.1.69.in",
"usage": {
"bookings": [],
"id": "device49.1.117.out::device34.1.69.in"
}
},
"3b629fbf-be6c-4806-8ceb-1e2b196b6277": {
"currentUtilisation": 0.0,
"enabled": true,
"from": "device38.1.93.out",
"hasBookings": false,
"id": "3b629fbf-be6c-4806-8ceb-1e2b196b6277",
"isActive": false,
"name": "Cezary",
"props": {
"bandwidth": 90000.0,
"conflictPri": 1,
"description": ""
},
"to": "device441.1.89.in",
"usage": {
"bookings": [],
"id": "3b629fbf-be6c-4806-8ceb-1e2b196b6277"
}
},
"87725874-f760-4e37-9421-168506a05573": {
"currentUtilisation": 0.0,
"enabled": true,
"from": "device21.1.75.out",
"hasBookings": false,
"id": "87725874-f760-4e37-9421-168506a05573",
"isActive": false,
"name": "Darek",
"props": {
"bandwidth": 90000.0,
"conflictPri": 1,
"description": ""
},
"to": "device61.1.97.in",
"usage": {
"bookings": [],
"id": "87725874-f760-4e37-9421-168506a05573"
}
}
}
... View more
Labels
- Labels:
-
JSON
05-20-2020
01:24 AM
Odd output 🙂 Displays last_mon_flag instead mon_avg_count.
_time week_count last_mon_flag
1 2020-04-25 3 0
2 2020-04-27 58 0
3 2020-05-01 1 0
4 2020-05-04 1 0
5 2020-05-06 1 0
6 2020-05-08 68 0
7 2020-05-13 1 0
8 2020-05-15 11 0
9 2020-05-16 3 0
10 2020-05-19 1 0
... View more
05-18-2020
01:37 PM
Thanks, but it doesn't work correctly. Displays only week_count result, but mon_avg_count is empty. If change function from avg to count for (eval(if(last_mon_flag=1,_raw,""))) I receive the same result as for count(eval(if(last_week_flag=1,_raw,""))).
... View more
05-18-2020
06:56 AM
Thanks. This below gives me cycles per a weekday. Could you point me how to make 30 daily average as a reference point to daily data? I got now:
Dayweek AvgPerDayWeek DailyCount
1 - Mon 10402.75 3730
2 - Tue 9209.75 3237
3 - Wed 1073 3194
4 - Thu 3688.75 13892
and would like to have:
Format
Preview
Dayweek AvgPerDayWeek DailyCount
1 - Mon 10340.32 3730
2 - Tue 10340.32 3237
3 - Wed 10340.32 3194
4 - Thu 10340.32 13892
Maybe subsearch together with eventstats command will be more useful?
index="abc" sourcetype=alarms_log earliest=-30d@d latest=@d
| timechart count span=1d AS dailycount
| eval Dayweek=strftime(_time,"%w - %a")
| stats avg(dailycount) AS AvgPerDayWeek by Dayweek
| join Dayweek
[search index="abc" sourcetype=alarms_log earliest=-7d@d latest=-1d@d
| timechart span=1d count as DailyCount
| eval Dayweek=strftime(_time,"%w - %a") ]
... View more
05-18-2020
02:29 AM
I'm trying to plot count of errors from last week per day and daily average value from month. The result from query below gives me only result from Monday (other dayweeks are missing). What did I wrong?
avg(count) DailyCount Dayweek
6903.6 3730 1 - Mon
index="abc" sourcetype=alarms_log earliest=-30d@d latest=@d
| bucket _time span=1day
| stats count by _time | stats avg(count)
| join
[search index="abc" sourcetype=alarms_log earliest=-7d@d latest=-1d@d
| timechart span=1d count as DailyCount
| eval Dayweek=strftime(_time,"%w - %a") ]
regards,
Szymon
... View more
05-11-2020
01:40 AM
Hi all,
During evaluating round I got the error:
| stats avg(duration) AS "booking average time" by hours
| eval "booking average time"=round("booking average time",2)
Error in 'eval' command: The arguments to the 'round' function are invalid.
Any ideas? Using inline search gives me the same result.
thanks
Szymon
... View more
05-05-2020
11:55 AM
@to4kawa Thank you for your help. I'm in your dept.
I'm using the query below to calculate booking time per connection and average time from desired time period.
| stats range(eval(if(searchmatch("ncreations:") OR searchmatch("Config success!"),_time,NULL))) as duration by id
| where id!=0
| stats avg(duration)
It works perfecty.
I also tried to estimate this by using bucket command
bucket _time span=1h | stats avg(duration)
but it failed, because I had used _time value in command range. I can't use also timechart avg(duration), because of the same reason.
I guess I have to bind timestamp to "id" . Am I right?
regards,
Szymon
... View more
05-05-2020
11:05 AM
Correct me if I'm wrong, but your query will extract fields after "removed" string and I would like to extract fields before it.
... View more
05-05-2020
08:31 AM
Hi,
I'm using expression: (?ms)book.(?\d{7}-\d) to extract some numbers from this input (thanks @to4kawa ) :
" new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)".
This gives me all 5 numbers (1272473, 1272472, 1272477, 1271398, 1271397), but I'm interested only in numbers before keyword "removed" (1272473, 1272472, 1272477). Please bear in mind, there could be from 1 to 5 strings in "new contribution" section and I would like to extract all of them.
Thanks is advance,
Szymon
... View more
- Tags:
- rex
04-15-2020
08:30 AM
Thank you! It works well here, but unfortunately it doesn't on live data. Probably because I provided you with only piece of data related to particular ID. I will try to tweak it.
... View more
04-15-2020
03:25 AM
Yes, it is 🙂
I've created the query to compare time of first and last events (\ncreations and Config success) accordingly related to particular connection 1236363. I don't want to have ncancellations1236363 in this comparison, that's why I'm using "\ncancellations:$ID$ statement in the query
"2020-04-15 12:17:17,046 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: \nupdates: \ncancellations: 1236363-1"
"2020-04-15 11:49:23,844 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 10.51.128.132.1.90000/igmpPortConfig! (Config success!). New contributors: Set(book.1236363-1), removed contributors: Set(book.1235337-1)."
"2020-04-15 11:49:23,800 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 10.51.128.142.SwitchingCore/openflowConfig! (Config success!). New contributors: Set(book.1236363-1), removed contributors: Set(book.1235337-1)."
"2020-04-15 11:49:23,753 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@10.51.128.132.SwitchingCore/rpfPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1236363-1), removed contributors: Set(book.1235337-1)"
"2020-04-15 11:49:23,751 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@10.51.128.140.SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1236363-1), removed contributors: Set(book.1235337-1)"
"2020-04-15 11:49:23,749 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@10.51.128.132.1.90000/igmpPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1236363-1), removed contributors: Set(book.1235337-1)"
"2020-04-15 11:49:23,749 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@10.51.128.142.SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1236363-1), removed contributors: Set(book.1235337-1)"
"2020-04-15 11:49:23,696 backend_7.2.15: INFO services/VirtualRoutingService(backend): Crosspoints changed: l78: 114 -> 35 (booking = 1236363-1)), l0: 114 -> 35 (booking = 1236363-1)), "
Show syntax highlighted
"2020-04-15 11:49:23,686 backend_7.2.15: INFO services/RedundancyControllerService(backend): redctl-1236363-1: Controller is started for booking with gpid = 100:book.1236363-1"
"2020-04-15 11:49:23,680 backend_7.2.15: INFO services/PathManagerService(backend): Booking 1236363-1(p2mp_join): 10.51.128.80.1.90202 -> 10.51.128.75.1.1000203 Success"
Show syntax highlighted
"2020-04-15 11:49:23,541 backend_7.2.15: INFO services/PathManagerService(backend): Update service1236363-1: <10.51.128.80.1.90202> => <10.51.128.75.1.1000203> 2020-04-15T11:49:23.538+02:00 -> 2038-01-19T04:14:07.000+01:00"
"2020-04-15 11:49:23,538 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: 1236363\nupdates: \ncancellations: 1235337-1"
... View more
04-15-2020
03:08 AM
Thanks. It works fine with map search like below
map maxsearches=10 search="search host="X" source="Y" $ID$
but if I elaborate this query with more filters like
map maxsearches=10 search="search host=X" source="Y" ("\ncreations" OR "new contributors: Set(book.$ID$)") AND $ID$ NOT "\ncancellations:$ID$" "*
it doesn't. I works of course if running a separate search with static parameter instead of variable $ID$. Do I need any special characters as I'm using * as argument for "any" and "\" symbol in search?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-15-2021
01:11 PM
|
