cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
tread_splunk
Splunk Employee
Member since: ‎12-16-2015
a month ago
Community Statistics
Posts 65
Solutions 8
Karma Given 2
Karma Received 15
Member Since ‎12-16-2015
Activity Feed
View All

Re: Display fields with different values only betw...

by Splunk Employee in Splunk Search
‎11-05-2021 11:07 AM
‎11-05-2021 11:07 AM
Adapting the solution provided by @ITWhisperer to provide Desired Outcome 1. | makeresults | eval _raw="product color product_id description1 description2 description3 description4 phone blue tag_1 pass pass fail phone blue tag_2 fail pass pass fail" | multikv forceheader=1 | fields - _* linecount | eval pKey=product.":".color.":".product_id | fields - product color product_id | transpose 0 | eval same=if('row 1'=='row 2',"same","different") | where same="different" | fields - same | transpose 0 header_field=column | rex field=pKey "^(?<product>.*):(?<color>.*):(?<product_id>.*)" | fields - column pKey ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-04-2021 06:19 AM
1 Karma
‎11-04-2021 06:19 AM
1 Karma
@indeed_2000  Its not very pretty.  And requires extensive testing.   | makeresults | eval temp="2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[50] B[0000211] 2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[50] B[0000211] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[55] B[0000211] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[55] B[0000211] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Normal Packet Received: A[70] B[0000369] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[60] B[0000465] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[60] B[0000456] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[65] B[0000456] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[65] B[0000456] " | makemv tokenizer="(.*)\n" temp | mvexpand temp | rex field=temp "^(?<timestamp>.{23}) INFO (?<customer>.*) \[MyService\] (?<status>.*): A\[(?<Acode>.*)\] B\[(?<Bcode>.*)\]" | fields - temp | rex field=customer "_(?<customer2>.*)" | eval customer2=coalesce(customer2,customer), customer=if(customer=customer2,null(),customer) | eval sendTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()), receiveTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval AcodeSend=if(status="Packet Processed",Acode,null()),BcodeSend=if(status="Packet Processed",Bcode,null()),AcodeReceive=if(status="Normal Packet Received",Acode,null()),BcodeReceive=if(status="Normal Packet Received",Bcode,null()) | eval AcodeReceiveLookFor=AcodeSend+5,acr=coalesce(AcodeReceive,AcodeReceiveLookFor) | fields - Acode _time timestamp status AcodeReceiveLookFor | stats values(*) as *,count by customer2,acr,Bcode | eval duration=receiveTime-sendTime , customer=coalesce(customer,customer2) | eval status=case(isnull(AcodeSend),"No Send",isnull(AcodeReceive),"No receive") | eventstats max(duration) as duration by customer2 | where count=2 OR (status="No receive" AND isnull(duration)) | eval status=coalesce(status,duration) | table customer status ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-04-2021 04:20 AM
1 Karma
‎11-04-2021 04:20 AM
1 Karma
@indeed_2000  Still not sure why... ABCD.DaQW-ParityGQQ-1231234 no receive   ...is in the result.  Shouldn't it be the red one? i.e... 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523   [MyService] Packet Processed: A[ 70 ] B[ 0000369 ] ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-04-2021 02:34 AM
‎11-04-2021 02:34 AM
@indeed_2000  Why is ... ABCD.DaQW-ParityGQQ-1231234 no receive   ...in the output? ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-03-2021 06:47 AM
1 Karma
‎11-03-2021 06:47 AM
1 Karma
@indeed_2000  Your second green pair have different B codes. 465 vs 456.  This is a typo, correct? ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-02-2021 01:50 PM
‎11-02-2021 01:50 PM
@indeed_2000 | makeresults | eval temp="2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[50] B[0000211] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[60] B[0000465] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[55] B[0000211] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[65] B[0000465] " | makemv tokenizer="(.*)\n" temp | mvexpand temp | rex field=temp "^(?<timestamp>.{23}) INFO (?<customer>.*) \[MyService\] (?<status>.*): A\[(?<Acode>.*)\] B\[(?<Bcode>.*)\]" | fields - temp | rex field=customer "_(?<customer2>.*)" | eval customer2=coalesce(customer2,customer), customer=if(customer=customer2,null(),customer) | eval startTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()), endTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval AcodeStart=if(status="Packet Processed",Acode,null()),BcodeStart=if(status="Packet Processed",Bcode,null()),AcodeFinish=if(status="Normal Packet Received",Acode,null()),BcodeFinish=if(status="Normal Packet Received",Bcode,null()) | fields - Acode Bcode _time timestamp status | stats values(*) as * by customer2 | eval status=endTime-startTime , customer=coalesce(customer,customer2) | fields - startTime, endTime | fillnull value="no receive" status | where isnull(AcodeFinish) OR (AcodeFinish=AcodeStart+5 AND BcodeStart=BcodeFinish) | table customer status ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-02-2021 08:29 AM
‎11-02-2021 08:29 AM
Most of this is fabricating data. | makeresults | eval temp="2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[50] B[0000211] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[60] B[0000465] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[55] B[0000211] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[65] B[0000456] " | makemv tokenizer="(.*)\n" temp | mvexpand temp | rex field=temp "^(?<timestamp>.{23}) INFO (?<customer>.*) \[MyService\] (?<status>.*): (?<Acode>.*) (?<Bcode>.*)" | fields - temp | rex field=customer "_(?<customer2>.*)" | eval customer=coalesce(customer2,customer) | fields - customer2 | eval startTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval endTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | stats values(startTime) as startTime, values(endTime) as endTime by customer | eval status=endTime-startTime | fields - startTime, endTime | fillnull value="no receive" status ... View more

Re: Comparing Results from two seperate searches?

by Splunk Employee in Splunk Search
‎11-02-2021 03:36 AM
‎11-02-2021 03:36 AM
Thanks @avajax0 .  I do agree my solution, isn't as as elegant as the one posted by @somesoni2 , but I think mine might actually have performance advantages.  Suggesting this here in case anyone would like to comment.  The way I see it, in my example, the subquery returns a filter list which is applied to the DNS index. DNS might potentially have thousand of host names and hopefully the threat intelligence index will only have a hand full.  Therefore the subquery in my example could reduce the number of events fetched from the DNS index by an order of magnitude improving the overall performance of the query.  "Filter as early as possible" is a best practice rule I've heard repeated often.  Interested to hear any other opinions.  Good luck! ... View more

Re: Stats multiple sourcetypes showing unique fiel...

by Splunk Employee in Splunk Search
‎11-01-2021 08:16 AM
1 Karma
‎11-01-2021 08:16 AM
1 Karma
Stats values(sourcetype) values(Date) as date values(Username) values(Version) by number |mvexpand date ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎11-01-2021 07:25 AM
‎11-01-2021 07:25 AM
@noman377 I've used my eventstats/streamstats/where technique previously but realised in this case it could be replaced with a stats latest command.  So here is a simplification of the solution.  The "list(count) as count" element is simply a way to see the series of values per pod from which you can verify that durInBadState is providing the correct result. index=_internal component="*" | rename component as pod | timechart span=1m count by pod partial=f limit=0 | untable _time pod count | sort pod _time | eval zeroInterval=if(count=0,1,0) ```zeroInterval is Boolean flag, true (1) when count is zero ``` | streamstats sum(zeroInterval) as durInBadState by pod,zeroInterval reset_on_change=true ```durInBadState is running tally of consecutive zero intervals``` | stats latest(durInBadState) as durInBadState, list(count) as count by pod | where durInBadState!=0 | eval count=mvjoin(count,":")   ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎10-31-2021 07:38 AM
1 Karma
‎10-31-2021 07:38 AM
1 Karma
@noman377 Try this commented, use-anywhere example, assuming you have access to _internal index.  It works from the time picker and the span=? value in line 3. _internal index collects metrics continuously for numerous different components..  I'm using component to represent your pod.  The report produces a list of pods reporting "missing" (zero) values in the last interval of the time range (specified in the time picker), and the number of consecutive time intervals, at the end of the time range, that have reported zero minutes.  The length of the time interval is specified by the span value in line 3 (1 minute in my example below).  Play around with different span values and time ranges.  'Last 60minutes' is a good place a to start on my instance. index=_internal component="*" | rename component as pod | timechart span=1m count by pod partial=f limit=0 | untable _time pod count | sort pod _time | eval zeroInterval=if(count=0,1,0) ```zeroInterval is Boolean flag, true (1) when count is zero ``` | streamstats sum(zeroInterval) as durInBadState by pod,zeroInterval reset_on_change=true ```durInBadState is running tally of consecutive zero intervals``` | eventstats count as LastIntervalInRange by pod ```LastIntervalInRange is number of time intervals in time range. Determined by time picker``` | streamstats count as IntervalInRange by pod ```Give each interval a position in time range. So we can determine whether it is the last interval. See filter below``` | where IntervalInRange=LastIntervalInRange AND count=0 ```filter to last time interval per pod. And where count is zero``` | table pod count durInBadState   ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎10-29-2021 08:06 AM
1 Karma
‎10-29-2021 08:06 AM
1 Karma
I'm not quite clear on what you're looking for but I'm playing around with the following... index=_internal component="*" | timechart span=1m count by component | untable _time component count | sort component _time | eval zeroMin=if(count=0,1,0) | streamstats sum(zeroMin) by component,zeroMin reset_on_change=true | xyseries _time component count sum(zeroMin) zeroMin format="$VAL$:$AGG$" ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎10-29-2021 07:57 AM
‎10-29-2021 07:57 AM
Do you want to calculate, for each pod, the length (in minutes) of the gap?   ... View more

Re: Comparing Results from two seperate searches?

by Splunk Employee in Splunk Search
‎10-29-2021 06:12 AM
1 Karma
‎10-29-2021 06:12 AM
1 Karma
Reading this again, I think you're looking for a subsearch.  Something along these lines. index=DNS [| search index=Threat_Intelligence | table DomainName | rename DomainName as RequestedDomainName | format] | dedup RequestedDomainName | table RequestedDomainName So the subsearch returns a string like ((RequestedDomainName=IntelDomainName1) OR (RequestedDomainName="IntellDomainName2" etc etc)".  Run the subsearch on its own and you'll see what it builds.  This string gets applied to your DNS data as a filter.  Leaving all the events in the DNS index which have domain names referenced in the Threat_Intelligence index. ... View more

Re: How do you use timewarp in specific?

by Splunk Employee in Splunk Search
‎10-29-2021 05:33 AM
‎10-29-2021 05:33 AM
You can adapt this.  I don't have months of data on my laptop.  So I've produced a chart with 2 lines.  One line is the last minute of activity (count of events per second), the other line is the average activity based on the 4 minutes before that. index=_internal sourcetype=splunkd component=Metrics earliest=-5min@min latest=@min | timechart span=1s count | eval latestMinute=if(_time>=relative_time(now(),"-1m@m"),"LatestMinute","Average"), sec=strftime(_time,"%S") | chart avg(count) over sec by latestMinute ... View more

Re: Extract count of each value of a field and cre...

by Splunk Employee in Splunk Search
‎10-29-2021 04:51 AM
‎10-29-2021 04:51 AM
Neater solution, using transpose command. index=_* index=_internal sourcetype=splunkd | rename component as skill | stats count by skill | streamstats count as counter | eval fieldnameReq="v".counter | fields - counter skill | transpose header_field=fieldnameReq ... View more

Re: Comparing Results from two seperate searches?

by Splunk Employee in Splunk Search
‎10-29-2021 04:42 AM
‎10-29-2021 04:42 AM
Some example events from each index would be useful. ... View more

Re: Extract count of each value of a field and cre...

by Splunk Employee in Splunk Search
‎10-29-2021 04:34 AM
‎10-29-2021 04:34 AM
But if you really want to introduce the V1, V2, V3 field names you'll need... index=_* index=_internal sourcetype=splunkd | rename component as skill | timechart span=5m count by skill limit=0 | untable _time skill count | sort skill, _time | streamstats dc(skill) as counter | eval fieldnameReq="v".counter | timechart span=5m sum(count) by fieldnameReq limit=0   ... View more

Re: Extract count of each value of a field and cre...

by Splunk Employee in Splunk Search
‎10-29-2021 04:32 AM
‎10-29-2021 04:32 AM
I think this is what you mean.  The hardest part is introducing the v1,v2,v3 etc field names. If you're happy to retain the skill values, i.e. F1, F2, F3 (in your screenshot above) as the field names, then this becomes much simpler i.e.... index=_* index=_internal sourcetype=splunkd | rename component as skill | timechart span=5m count by skill limit=0 ... View more

Re: Extract count of each value of a field and cre...

by Splunk Employee in Splunk Search
‎10-29-2021 04:18 AM
‎10-29-2021 04:18 AM
Something like this... index=_* index=_internal sourcetype=splunkd | rename component as skill | stats count by skill | streamstats count as counter | eval fieldnameReq="v".counter,stub="sum" | chart sum(count) over stub by fieldnameReq limit=0 | fields - stub Replace first 2 lines with your query.  Working on another post that produces a timechart.  2 tics ... View more
Contact Me
Online Status
Offline
Date Last Visited
a month ago
Karma from
Karma given to
View All