cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
runiyal
Path Finder
Member since: ‎10-13-2015
‎10-04-2023
Community Statistics
Posts 56
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎10-13-2015
Activity Feed
Topics I've Started
View All

Re: How to search and report based on presence or ...

by in Splunk Search
‎10-04-2023 07:18 AM
‎10-04-2023 07:18 AM
Thanks Rick. | eval account=if(account=="verified","verified","unverified") | stats count by account Although data is there for both "verified" and "unverified" but I am getting result only for "unverified" (whatever is in the ELSE). Any reason that you can think of this behavior?   ... View more

How to search and report based on presence or lack...

by in Splunk Search
‎10-02-2023 10:56 AM
‎10-02-2023 10:56 AM
Have following data in the logfile    {xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC5"} {xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC6","account":"verified"} {xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC7","account":"unverified"} {xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC8","account":"verified"} {xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC9"}   Need Report like the following so that I should get the count of "verified" where it is explicitly mentioned otherwise it should show under "unverified" -   Type Count Verified 2 Unverified 3   How can we achieve this. Will appreciate your inputs! ... View more

Re: How to search and create table report?

by in Splunk Search
‎04-11-2023 11:27 AM
‎04-11-2023 11:27 AM
I tried to run the following query. Although it runs with 20K events but its not generating output in the table. index=yourinndex "OTPViewController" | rex "(?ms)OTPViewController:(?<session>http-nio-8080-exec-\d+).*?Policy Number\. (?<PolicyNumber>[^\n]+)\n.*?Email\. (?<Email>[^\n]+)\n.*?Address\. (?<Address>[^\n]+)\n.*?Amount Number \. (?<AmountNumber>[^\n]+)\n.*?Pmt Amount \. (?<PmtAmount>[^\n]+)\n" | stats values(*) as * by session | table PolicyNumber, Email, Address, AmountNumber, PmtAmount Can you tell what can be the issue here?   ... View more

How to search and create table report?

by in Splunk Search
‎04-05-2023 12:15 PM
‎04-05-2023 12:15 PM
I have a logfile with information like this - 2023-04-05 13:54:17.259 INFO [http-nio-8080-exec-117][OTPViewController:206] The list of the form bean for Kubra 2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:207] Payment Request ID for debug the Kubra payment. DanBkDg981 2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:208] Amount Number . 00902418 2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:209] Policy Number. 05349531 2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:210] Address. 2912 9TH ST W 2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:211] Email. test@aol.com 2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:212] Pmt Amount . 999.00 2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:213] Pmt Date . 05012023I Need a report in table format for these columns:     "RequestID" "Policy Number" "Email" "Address" "Amount Number" "Pmt Amount" "Pmt Date"     We can search based on the keyword "OTPViewController" and should look for consecutive thread number "http-nio-8080-exec-117" and extraction of value should start from the keyword and the dot "." Will appreciate your feedback and time. ... View more
Labels

Re: Get the search report of a value

by in Splunk Search
‎02-24-2023 11:16 AM
‎02-24-2023 11:16 AM
Just trying to extract the field. ... View more

How to get the search report of a value?

by in Splunk Search
‎02-23-2023 05:45 PM
‎02-23-2023 05:45 PM
In the log there are events like - {"submitterType":"Others","SubID":"App_4-45887-02232023"} {"submitterType":"Others","SubID":"App_5-45892-02232023"}   I want a report showing - App_4-45887-02232023 App_5-45892-02232023   Thanks! ... View more
Labels

Re: Searching between two lines

by in Splunk Search
‎01-12-2023 10:51 AM
‎01-12-2023 10:51 AM
Thanks Giuseppe.. I have to extract the docID field too. ... View more

How to search between two lines?

by in Splunk Search
‎01-12-2023 08:34 AM
‎01-12-2023 08:34 AM
Hello All, I have following lines in the log file -   Server8 runiyal 2023-01-12 09:48:41,880 INFO Plugin.DOCUMENT Bytes size from input stream : 2072823 server8 runiyal 2023-01-12 09:48:41,978 INFO Plugin.DOCUMENT File size after upload to temp folder: 2072823 server8 runiyal 2023-01-12 09:48:43,391 SUCCESS Plugin.DOCUMENT File size after notifying the docrepo : 2072823   I want to - 1. Search for the DocID in the end <2072823>; It should have SUCCESS written in line. (Line3) 2. It should then look at the above line with string "from input stream" for the same DocID (Line 1) 3. Reduce the timestamp from SUCCESS line (3) to the timestamp in line with the text "from input stream" (Line 1) - Result will be in seconds 4. Result should be in two columns: "DocID" and "Time Taken" (4) Will appreciate your inputs on how this can be achieved. Thanks! ... View more
Labels

Re: Merge two query resultsets

by in Splunk Search
‎06-19-2022 08:44 AM
‎06-19-2022 08:44 AM
must be missing our something in the syntax but if I just use the OR between two searches like below I am getting Error in 'search' command: Unable to parse the search: unbalanced parentheses. (<my search 1> OR <my search 2>)  I have provided the complete search command above in reply to Renjith. ... View more

Re: Merge two query resultsets

by in Splunk Search
‎06-19-2022 08:35 AM
‎06-19-2022 08:35 AM
Here is the updated Query which actual use of REX/EVAL/CASE/STATS in it: (index="myindex" "*upload succeeded" OR "*streaming succeeded" NOT "source" | rex ".*SIZE=(?<sizeKB>\d+\.\d+)" | stats sum(eval(sizeKB/1024/1024)) AS Size count | eval App="Upload-Manual") OR (index="myindex" "*upload succeeded" OR "*streaming succeeded" | rex "source=(?<App>[^,]+)." | rex "system=(?<App>[^,]+)." | eval App = case(App="FB","App1",App="TWTR","App2",App="Salesforce","App3",App="SAP","App3",App="Oracle","App3") | rex ".*SIZE=(?<sizeKB>\d+\.\d+)" | stats sum(eval(sizeKB/1024/1024)) AS Size Count by App) | table App Size Count | addcoltotals   I am getting following error -  Error in 'search' command: Unable to parse the search: unbalanced parentheses.   Thanks! ... View more

How to Merge two query resultsets?

by in Splunk Search
‎06-17-2022 12:14 PM
‎06-17-2022 12:14 PM
I have two Searches and following are its result individually - index="myindex" <my search 1> | table App Size Count App  Size  Count App1 5GB   100 App2 100GB 10000 index=myindex" <my search 2> | table App Size Count App  Size Count App3 15GB 1500 Now I want to run a report that shows result of all Apps (1 to 3) together. So, I used append. index="myindex" <my search 1> | table App Size Count | append [search index=myindex" <my search 2> | table App Size Count] | addcoltotals But when I used it, I didn't get the complete result. "Size" column is showing different value. Something like this - App  Size  Count App1 5GB   100 App2 100GB 10000 App3 7GB   720 What should be used to get the complete resultset as we got for each search. Best way to merge two query resultsets.   Thanks! ... View more
Labels

Re: Splunk Report after keyword

by in Splunk Search
‎09-11-2021 06:09 PM
‎09-11-2021 06:09 PM
Thanks a lot, it worked! ... View more

Re: Splunk Report after keyword

by in Splunk Search
‎09-11-2021 12:17 PM
‎09-11-2021 12:17 PM
Only command not working is - | replace "T" with " " in Time Still in the result I am seeing - 2021-09-11T11:01:19 ... View more

Re: Splunk Report after keyword

by in Splunk Search
‎09-11-2021 10:52 AM
‎09-11-2021 10:52 AM
Yes,  anything thats after "interested in all events which contain the string". When I search with -   index="foo" | rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)" then I am getting following error - Error in 'rex' command: Encountered the following error while compiling the regex '(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)': Regex: unknown property name after \P or \p.   But if I put a space between *\ and Problem, then it is providing all the rows, even without the even I am looking for and not in a tabular form. ... View more

Splunk Report after keyword

by in Splunk Search
‎09-11-2021 08:38 AM
‎09-11-2021 08:38 AM
I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"     --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email ---     So need to a create a report like this - Time Subject 2016 2021-09-11 11:01:19 RE: Hello this is first email 2016 2021-09-11 11:01:21 Re: Hello this is second email 2016 2021-09-11 11:01:22 Re: Hello this is third email   Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-04-2023 12:23 PM
Karma from
View All
Karma given to
View All