Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About edwardryan
edwardryan
New Member
Member since:
11-20-2018
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-20-2018 |
Activity Feed
- Posted How do you display empty results when eval did not find a result? on Getting Data In. 11-22-2018 05:00 AM
- Tagged How do you display empty results when eval did not find a result? on Getting Data In. 11-22-2018 05:00 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-22-2018 02:46 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-21-2018 07:14 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-21-2018 07:12 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-21-2018 07:09 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-21-2018 07:07 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-21-2018 07:05 AM
- Posted Re: How do you combine two different searches with two different sources? on Splunk Dev. 11-21-2018 07:03 AM
- Posted How do you combine two different searches with two different sources? on Splunk Dev. 11-20-2018 05:39 AM
- Tagged How do you combine two different searches with two different sources? on Splunk Dev. 11-20-2018 05:39 AM
- Tagged How do you combine two different searches with two different sources? on Splunk Dev. 11-20-2018 05:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
11-22-2018
05:00 AM
Hello,
I have built the following query
"search query"
earliest="11/22/2018:18:55:00" latest="11/22/2018:18:59:9"
| eval platform = if(source == "S1", "Android", "IOS")
| eval server = case(host == "H1", "Server1", host == "H2", "Server2")
| eval server_platform = server.":".platform
| timechart span=5m count as COUNT by server_platform
This works perfectly when there are results, although if a result is not found, no event is returned.
I think the problem is that, if no result is returned, the eval will fail and no result is displayed.
Is there a way I can create a dummy record and then populate it with the results?
I cannot default to a value, because I do not know what it didn't find.
Any help is much appreciated, I will continue investigating.
Thank you.
... View more
- Tags:
- splunk-cloud
11-22-2018
02:46 AM
I found the following worked for me.
Keypoints being the use of "OR" to separate the queries and "bucket" to divide the data
(index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer")
OR
(index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| bucket _time span=5m
| stats count by _time, source, host
| sort - Time
... View more
11-21-2018
07:14 AM
@skoelpin can you relax? The solution I'm using at the moment is the one I created. The first solution you posted does not work. The second solution let me know how to use the eval function which I am using. Why are you so agitated? I did not respond because like you I'm in work and didn't have time to respond within 24 hours... fucking hell
... View more
11-21-2018
07:12 AM
There is no issue, I am using stats. I left a comment to say why I disagreed with your solution, would you rather I didnt comment at all?
I am using stats, as seen by initial edit in the question - BEFORE you commented this answer
... View more
11-21-2018
07:09 AM
Thanks, the eval command looks useful - I was doing this mapping afterwards using Java, but your solution looks a lot better.
... View more
11-21-2018
07:07 AM
@richgalloway I need the data structured at small intervals, that is why I was using span=5m over an hour period. Mainly because I would like to chart the output
... View more
11-21-2018
07:05 AM
Unfortunately I can't use timechart because I need to groupBy multiple fields. "stats count by" looks to be what I require.
... View more
11-21-2018
07:03 AM
@skoelpin No one has posted a solution that I have used yet
... View more
11-20-2018
05:39 AM
Hello,
I am attempting to use Splunk to search two log files that hold activity for two platforms of an application "IOS" & "Android".
The log file for each platform unfortunately uses a different identifier for login behavior.
I would like to combine both searches into one.
Currently each of my searches look like the following (some filters are the same)
> index=I1 source=S1 sourcetype=ST1 host=H1 "searchCriteria1"earliest=-1hr latest=now | timechart span=5m count by host
> index=I2 source=S2 sourcetype=ST1 host=H1 "searchCriteria2" earliest=-1hr latest=now | timechart span=5m count by host
I would like to have the result displayed as follows; total, android and ios.
I am using the JAVA API to splunk, so as long as I can differentiate Android from IOS on the response, that is ok.
Time | Total Logins | Android Logins | IOS Logins
01:00 | 10 | 8 | 2
02:00 | 15 | 10 | 5
I have looked into "multiSearch" and "subsearches" but I am new to using Splunk and do not know exactly what I am trying to do.
Any help is greatly appreciated!
Thank you,
Anon
EDIT: Considering I can differentiate between each platform via "source", the following query does produce a correct result, although I'm unsure if its the correct way. Is there a better way to obtain the following:
(index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer")
OR
(index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| bucket _time span=5m
| stats count by _time, source, host
| sort - Time
... View more
- Tags:
- java
- splunk-cloud
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
