Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About evbtbw92
evbtbw92
New Member
Member since:
04-05-2019
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 04-05-2019 |
Activity Feed
- Posted Re: How to handle search query when json data has host field? on Splunk Enterprise. 04-08-2019 04:51 PM
- Posted Re: How to handle search query when json data has host field? on Splunk Enterprise. 04-08-2019 02:13 PM
- Posted Re: How to handle search query when json data has host field? on Splunk Enterprise. 04-08-2019 12:02 PM
- Posted Re: How to handle search query when json data has host field? on Splunk Enterprise. 04-08-2019 11:40 AM
- Posted Re: How to handle search query when json data has host field? on Splunk Enterprise. 04-08-2019 11:22 AM
- Posted Re: How to handle search query when json data has host field? on Splunk Enterprise. 04-08-2019 11:19 AM
- Posted How to handle search query when JSON data has host field? on Splunk Enterprise. 04-05-2019 03:29 PM
- Tagged How to handle search query when JSON data has host field? on Splunk Enterprise. 04-05-2019 03:29 PM
- Tagged How to handle search query when JSON data has host field? on Splunk Enterprise. 04-05-2019 03:29 PM
- Tagged How to handle search query when JSON data has host field? on Splunk Enterprise. 04-05-2019 03:29 PM
- Tagged How to handle search query when JSON data has host field? on Splunk Enterprise. 04-05-2019 03:29 PM
- Tagged How to handle search query when JSON data has host field? on Splunk Enterprise. 04-05-2019 03:29 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-08-2019
04:51 PM
After fighting with this of a day and a half I finally found a solution that will work. It has a bit more hard coding with the server names than I wanted, but good enough for now:
index="my_index" host::prd-srv-001 OR host::prd-srv-002 OR host::prd-srv-003 OR host::prd-srv-004 source="/var/log/my_program/http_json*" | timechart usenull=f useother=f cont=true span=1m count by host | fillnull value=0 | table _time, prd-srv-001, prd-srv-002, prd-srv-003, prd-srv-004
As noted in my previous comments, the rex mode=sed stuff didn't work when I included a timechart.
... View more
04-08-2019
02:13 PM
Something interesting I found, if you are not trying to visualize the data it works as woodcock expliaed in number three, IE: index="my_index" host=prd-srv-00* | rex mode=sed "s/\"host\"/\"json_host\"/g"
But as soon as you add the timechart, either in the query or by right clicking on host it adds the host field from the data in. Very odd.
Any help is much appreciated!
... View more
04-08-2019
12:02 PM
I'm looking at a small number of events for testing, about 400. Some have my_server_1 and some have my_server_2, so it would return values.
The problem I have is that all the events come from the host (Splunk side) of prd-srv-008, but also have the other field set.
In my graph, for the first minute it is showing:
prd-srv-008 --COUNT: 432
my_server_1 --COUNT: 320
my_server_2 --COUNT: 112
if you notice my_server_1 and my_server_2 always adds up to the total from prd-srv-008
... View more
04-08-2019
11:40 AM
That still returns no results. My guess is because ext_host is still set for each event, therefore when the search happens it is excluding all events.
... View more
04-08-2019
11:22 AM
Thank you very much for the reply! I put more details in the other answer (I had to pick one), but neither seems to work for me.
When I tried your approach:
index="my_index" host=prd-srv-00* AND ext_host!="my_server_1" | rex field=_raw "\"host\"\:\"(?<ext_host>[^\"]*)" | timechart span=1m count by host | fillnull value=0
It didn't return any values. This seems to be due to the rex field update not happening until after the search.
Any other thoughts?
Thanks again for any help!
... View more
04-08-2019
11:19 AM
Thanks for the response, this seems close, but isn't exactly what I need.
When I try this I have:
index="my_index" host=prd-srv-00* | rex mode=sed "s/\"host\"/\"json_host\"/g" | timechart span=1m count by host | fillnull value=0
This returns the correct number of events under the Events tab, it still isn't right, see the data below, you can see the event shows it is updated with json_host instead of host , but if you look at the bottom, it appears the rex mode change doesn't take affect until after the search:
{"time":"2019-04-05T21:50:09.925Z","severity":"INFO","duration":25.02,"db":10.23,"view":14.79,"status":200,"method":"GET","path":"/api/v4/project/1","params":[],"host":"my_server_1","ip":"1.2.3.4, 4.5.6.7","ua":null,"route":"/api/:version/projects/:id","user_id":12,"username":"smithers","queue_duration":4.35,"magic_calls":0}
Show syntax highlighted
host = prd-srv-008 host = my_server_1 method = GET
So I guess at this point I"m looking for one of two things:
1. Do the rex mode before the search, like I said now it appears to happen after
2. In the Visualization hide a data series (my_server_1 in this case)
I prefer number 1 as it will require fewer manual updates in the future.
I'm continuing to play with this and do some searches, but so far I haven't had any luck.
Thanks again for any help!
... View more
04-05-2019
03:29 PM
I'm working on a corporate Splunk instance where we do not have access to rename fields when indexing, or make any similar modifications due to security and compliance requirements. I'm trying to create a timechart based on the number of events per hour by host . My issue is that the JSON data has a host field in addition to the Splunk built in host field. IE a sample event looks like: {"time":"2019-04-05T21:50:09.925Z","severity":"INFO","duration":25.02,"db":10.23,"view":14.79,"status":200,"method":"GET","path":"/api/v4/project/1","params":[],"host":"my_server_1","ip":"1.2.3.4, 4.5.6.7","ua":null,"route":"/api/:version/projects/:id","user_id":12,"username":"smithers","queue_duration":4.35,"magic_calls":0}
My search looks like: index="my_index" host="prd-srv-00*" source="/var/log/my_program/http_json*" | timechart span=1h count by host
When I do this it combines the hosts the logs came from (built in host field) and hosts listed in the data (host field in the json).
If I try to filter out the hosts from the data, it removes the events from the built in host field as well. IE: index="my_index" host="prd-srv-00*" AND host !="0.0.0.0" source="/var/log/my_program/http_json*" | timechart span=1h count by host I have also tried to use ...| where host !="0.0.0.0" | ... but this has the same result.
Any advice on a solution or workaround to handle this at search time? IE, can I rename to column when searching, etc?
Thanks in advance for any help.
... View more
Labels
- Labels:
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
