cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ppatkar
Path Finder
Member since: ‎06-22-2016
‎03-03-2021
Community Statistics
Posts 19
Solutions 0
Karma Given 8
Karma Received 3
Member Since ‎06-22-2016
Activity Feed
Topics I've Started
View All

How to handle \n in regex

by in Splunk Search
‎03-03-2021 08:09 AM
‎03-03-2021 08:09 AM
  In some of the events, I have '\n' in the events : message: org.springframework.jdbc.UncategorizedSQLException: CallableStatementCallback; uncategorized SQLException for SQL <{call XYZ_API.PROCESS_EVENT(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}>; SQL state <16000>; error code <20011>; ORA-00060: deadlock detected while waiting for resource\nORA-06512: at "ABC_OWNER.XYZ_API", line 5133\nORA-06512: at "ABC_OWNER.XYZ_API", line 2001\nORA-06512: at "ABC_OWNER.XYZ_API", line 6829\nORA-06512: at line 1\n; nested exception is java.sql.SQLException: ORA-00060: deadlock detected while waiting for resource\nORA-06512: at "ABC_OWNER.XYZ_API", line 5133\nORA-06512: at "ABC_OWNER.XYZ_API", line 2001\nORA-06512: at "ABC_OWNER.XYZ_API", line 6829\nORA-06512: at line 1\n'   Although my regex (message:\s(?<METADATA_ERROR>[^\\\n]+))  to extract until the first '\n'  appears in the event works : https://regex101.com/r/XwEg29/1 When I try on Splunk, it extracts only   'org.spri'  Do we need to handle \n differently in Splunk ? ... View more
Labels

Re: regex exclude nth word in the event

by in Splunk Search
‎03-03-2021 01:37 AM
‎03-03-2021 01:37 AM
HI @manjunathmeti @ITWhisperer , Thank you for your quick reply . I have a followup question as I intend to use capture group to gather errors . My existing search is something like below : index=* "IOError" OR "file does not exist" | rex field=_raw max_match=1 "IOError:(?<IO_ERROR>.*)" | rex field=_raw max_match=1 "MESSAGE=(?<FILE_ERROR>file does not exist[^\d|]+)" | ... | eval ERROR_LOG = coalesce(IO_ERROR,FILE_ERROR...) Can I incorporate the sed mode in this type of capture group or is there any other way ? Thank you for all your help   ... View more

regex exclude nth word in the event

by in Splunk Search
‎03-03-2021 12:31 AM
1 Karma
‎03-03-2021 12:31 AM
1 Karma
I want to ignore the actual file name in my exception events so I can group the exceptions . For example, regex on below event should extract only  "Error File not found !!!"  and ignore the actual filename in between.     Error File abracadabra.gz not found !!!     Can you please advise on how to exclude this word in between the fixed format of words . Thank you. ... View more
Labels

Re: Default value in Dashboard dynamic drop-down &...

by in Splunk Search
‎02-24-2021 06:59 AM
‎02-24-2021 06:59 AM
  1. drop-down default value (*) in my Dynamic Drop Down is not appearing in my chart search .  selectFirstChoice field is appearing . However if I remove selectFirstChoice,  I see issues when I pick one value & then change stats drop down. -- This is still an issue . 2. Chart gets hidden when I enter some text in text input , however when I remove the text , chart doesnt appear back unless I change the static drop down.  -- This has been fixed with the below latest.  <form> <label>My Dashboard</label> <fieldset autoRun="false" submitButton="true"> <input type="time" token="timeInput"> <label>Select a Time:</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field1" searchWhenChanged="false"> <label>Select Publisher/Subcriber:</label> <choice value="pub">Publisher</choice> <choice value="sub">Subscriber</choice> <selectFirstChoice>true</selectFirstChoice> <change> <condition match="match(value,&quot;sub&quot;)"> <set token="ind">sub_core</set> <set token="intype">SubiName</set> <set token="infname">SubfName</set> <set token="infsize">SubfSize</set> <set token="hide_panel">true</set> </condition> <condition match="match(value,&quot;pub&quot;)"> <set token="ind">pub_core</set> <set token="intype">PubiName</set> <set token="infname">PubfName</set> <set token="infsize">PubfSize</set> <set token="hide_panel">true</set> </condition> </change> </input> <input type="dropdown" token="interface"> <label>Select Interface: (Optional)</label> <choice value="*">All</choice> <selectFirstChoice>true</selectFirstChoice> <fieldForLabel>interface</fieldForLabel> <fieldForValue>interface</fieldForValue> <search> <query>index=$ind$ service | rename $intype$ AS interface | stats count by interface</query> <earliest>-7d@h</earliest> <latest>now</latest> <preview> <condition> <set token="interface">$result.interface$</set> <set token="hide_panel">true</set> </condition> </preview> </search> </input> <input type="text" token="filename" searchWhenChanged="true"> <label>Provide a filename: (Optional)</label> <default>*</default> <change> <condition match="len($filename$) > 1"> <unset token="hide_panel"></unset> <set token="show_panel">true</set> </condition> <condition match="len($filename$) &lt; 2"> <unset token="show_panel"></unset> <set token="hide_panel">true</set> </condition> </change> </input> </fieldset> <row> <panel depends="$hide_panel$" id="title"> <title>Stats</title> </panel> </row> <row> <panel> <chart depends="$hide_panel$"> <title>File Count</title> <search> <query>index=$ind$ service $interface$ | dedup $infname$ | stats count($infsize$) by $intype$ | sort - count($infsize$) </query> <earliest>$timeInput.earliest$</earliest> <latest>$timeInput.latest$</latest> </search> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="charting.legend.placement">none</option> <option name="height">160</option> <option name="trellis.enabled">0</option> </chart> </panel> </row> </form>     ... View more

Default value in Dashboard dynamic drop-down & hid...

by in Splunk Search
‎02-23-2021 12:00 PM
‎02-23-2021 12:00 PM
  My Dashboard contains 4 inputs :  Time , 2 Drop Downs ( One Static whose value changes Second Dynamic Drop Down query ) & lastly a free text input. I am trying to default by  Dynamic Drop Down to * (Shown as All to user) & free text input to *. I need to show or hide the Stats header &  the Count chart based on whether user enters text in text input field. ( Hide Stats when value is not * ).   I am having the below issues : 1. drop-down default value (*) in my Dynamic Drop Down is not appearing in my chart search .  selectFirstChoice field is appearing . However if I remove selectFirstChoice,  I see issues when I pick one value & then change stats drop down. 2. Chart gets hidden when I enter some text in text input , however when I remove the text , chart doesnt appear back unless I change the static drop down.  Below is my Dashboard source : <form> <label>My Dashboard</label> <fieldset autoRun="false" submitButton="true"> <input type="time" token="timeInput"> <label>Select a Time:</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field1" searchWhenChanged="false"> <label>Select Publisher/Subcriber:</label> <choice value="pub">Publisher</choice> <choice value="sub">Subscriber</choice> <selectFirstChoice>true</selectFirstChoice> <change> <condition match="match(value,&quot;sub&quot;)"> <set token="ind">sub_core</set> <set token="intype">SubiName</set> <set token="infname">SubfName</set> <set token="infsize">SubfSize</set> <set token="hide_panel">true</set> </condition> <condition match="match(value,&quot;pub&quot;)"> <set token="ind">pub_core</set> <set token="intype">PubiName</set> <set token="infname">PubfName</set> <set token="infsize">PubfSize</set> <set token="hide_panel">true</set> </condition> </change> </input> <input type="dropdown" token="field2"> <label>Select Interface: (Optional)</label> <choice value="*">All</choice> <selectFirstChoice>true</selectFirstChoice> <fieldForLabel>interface</fieldForLabel> <fieldForValue>interface</fieldForValue> <search> <query>index=$ind$ service | rename $intype$ AS interface | stats count by interface</query> <earliest>-7d@h</earliest> <latest>now</latest> <preview> <condition> <set token="interface">$result.interface$</set> <set token="hide_panel">true</set> </condition> </preview> </search> </input> <input type="text" token="filename" searchWhenChanged="true"> <label>Provide a filename: (Optional)</label> <default>*</default> <change> <condition match="len($filename$) > 1"> <unset token="hide_panel"></unset> </condition> </change> </input> </fieldset> <row> <panel depends="$hide_panel$" id="title"> <title>Stats</title> </panel> </row> <row> <panel> <chart depends="$hide_panel$"> <title>File Count</title> <search> <query>index=$ind$ service $interface$ | dedup $infname$ | stats count($infsize$) by $intype$ | sort - count($infsize$) </query> <earliest>$timeInput.earliest$</earliest> <latest>$timeInput.latest$</latest> </search> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="charting.legend.placement">none</option> <option name="height">160</option> <option name="trellis.enabled">0</option> </chart> </panel> </row> </form>   Any help here is appreciated.  ... View more
Labels

Re: Splunk multiple field extraction

by in Splunk Search
‎02-23-2021 02:22 AM
‎02-23-2021 02:22 AM
Hi @manjunathmeti  I have one followup to the earlier , in certain events I see truncated output like below :   [TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--pr..[truncated output], run:4569876, timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]   This is causing my job to get derived as null . Can you please advise ?   ... View more

Re: Splunk split events to extract text

by in Splunk Search
‎02-22-2021 04:11 AM
‎02-22-2021 04:11 AM
Thanks @gcusello  . It works in general , however it breaks when my Exception has "," in it . Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC Output desired in this case : Exception: ApiError(ERR361, No bucket found) ... View more

Splunk split events to extract text

by in Splunk Search
‎02-22-2021 01:49 AM
‎02-22-2021 01:49 AM
I have multiple events in Splunk like below : Exception:100 : *** Error 3006 Logons are disabled., Job=ABC Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC I am looking for the text between "Exception:" and ", Job"  Output desired : *** Error 3006 Logons are disabled. RDBMS error 2801: Duplicate unique prime key error RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map. I was trying split like below, however in some events , "Exception:" appears twice.  Hence second case above , gives me XYZ API has failed : eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0) Is there any way to split based on second or last occurrence of Exception in the event ?  Thank you for any suggestion/help.   ... View more
Labels

Splunk multiple field extraction

by in Splunk Search
‎02-19-2021 04:42 AM
‎02-19-2021 04:42 AM
   I have the below Splunk Event & need to extract multiple fields from the same :   [TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--prod', run:'4569876', timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]   Expected Table Output : job run code endcustomer--prod 4569876 E302: Batch failed   I was able to pick some field like : run\:\'(?<run>\w+)' https://regex101.com/r/q7NqQb/1 However, unable to extract all the three fields above. Any help is appreciated. ... View more
Labels

How to find concurrent run of processes?

by in Splunk Search
‎06-10-2020 03:39 AM
‎06-10-2020 03:39 AM
Hi ,  I would like to check if there are multiple instances of a job/process running . Ex: My Splunk search :     index=abc <jobname> | stats earliest(_time) AS earliest_time, latest(_time) AS latest_time count by source | convert ctime(earliest_time), ctime(latest_time) | sort - count   Returns :   source earliest_time latest_time count logA 06/06/2020 15:24:09 06/06/2020 15:24:59 1 logB 06/06/2020 15:24:24 06/06/2020 15:25:12 2   In the above since logB indicates job run before logA completion time,  it is an indication of the concurrent run of the process. I would like to generate a list of all such jobs if it is possible, any help is appreciated.   Thank you.  ... View more
Labels

Re: How to get the latest timestamp by host?

by in Getting Data In
‎05-28-2019 10:11 AM
1 Karma
‎05-28-2019 10:11 AM
1 Karma
Thanks David, after searching for similar posts could manage the below : | tstats latest(_time) AS latest where index=abc by host | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest) ... View more

How to get the latest timestamp by host?

by in Getting Data In
‎05-28-2019 09:57 AM
‎05-28-2019 09:57 AM
I need to list all the hosts with their latest Splunk event timestamps in YYYY-MMM-DD HH24:MI:SS format . Below seems to be suffice , however I am unable to change the date & time format for required results : tstats latest(_time) where index=abc by host Any help or insights is appreciated. ... View more

Re: Splunk Extraction

by in Splunk Search
‎04-07-2019 08:34 AM
‎04-07-2019 08:34 AM
Thank you @dmarling ... View more

Splunk Extraction

by in Splunk Search
‎04-04-2019 12:39 AM
‎04-04-2019 12:39 AM
I have Splunk events like below & would like to extract the reason for failure. Event 1 : FILE_READER[1]: TT19472 Fatal data error processing file '/default/folder/ingest/amr_ca_sf_items_658721_US.out'. Field length overflow(s) in record 2355, field 17, 'COUNT_DESC'. Expected 300 bytes, field contained 307 bytes. FILE_READER[1]: TT19015 TPT Exit code set to 12. Event 2 : $FILE_READER<1>: DataConnector Producer operator Instances: 1 $FILE_READER<1>: ECI operator ID: '$FILE_READER-18808' $FILE_READER<1>: Operator instance 1 processing file '/default/folder/ingest/amr_ca_sf_items_658721_US.out'. $FILE_READER<1>: TT19472 Fatal data error processing file '/default/folder/ingest/amr_ca_sf_items_658721_US.out'. Field length overflow(s) in record 1, field 1, '"ORDER"'. Expected 20 bytes, field contained 841 bytes. $FILE_READER<1>: TT19015 TPT Exit code set to 12. Event 3 : FILE_READER<1>: TT19434 pmAttach failed. General failure (34): '!ERROR! dlopen failed: /default/folder/installations/lib/axm.so: cannot open shared object file: No such file or directory' FILE_READER<1>: TT19302 Fatal error loading access module. FILE_READER<1>: TT19015 TPT Exit code set to 12. Event 4 : FILE_READER<1>: TT19134 !ERROR! Fatal data error processing file '/default/folder/ingest/rpv0410_12123_1.out.gz'. Delimited Data Parsing error: Too many columns in row 246. FILE_READER<1>: TT19015 TPT Exit code set to 12. Event 5 : FILE_WRITER<1>: TT19434 pmWrite failed. General failure (34): 'pmunxWBuf: fwrite byte count error (No space left on device)' FILE_WRITER<1>: TT19306 Fatal error writing data. FILE_WRITER<1>: TT19015 TPT Exit code set to 12. Reason for failure should look like below : 1: Field length overflow(s) in record 2355, field 17, 'COUNT_DESC'. Expected 300 bytes, field contained 307 bytes. 2 : Field length overflow(s) in record 1, field 1, '"ORDER"'. Expected 20 bytes, field contained 841 bytes. 3 : Fatal error loading access module or '!ERROR! dlopen failed: /default/folder/installations/lib/axm.so: cannot open shared object file: No such file or directory' 4 : Parsing error: Too many columns in row 246. 5 : Fatal error writing data or General failure (34): 'WBuf: fwrite byte count error (No space left on device)' If someone can guide on a way to extract this , it will be very helpful . Thanks. ... View more

Re: Field extraction from source field

by in Splunk Search
‎04-03-2019 10:33 AM
‎04-03-2019 10:33 AM
Works like a charm ! Thank you ... View more

Re: Field extraction from source field

by in Splunk Search
‎04-03-2019 09:10 AM
‎04-03-2019 09:10 AM
Thanks @FrankVI , @vnravikumar & @ragedsparrow for all your help . Unfortunately my source pattern can contain multiple words in the file name but filename is always suffixed by process id like below : source=/default/folder/20190403/file_PARADOX_7747_txt source=/default/folder/20190402/file_AMR_CA_1234_txt source=/default/folder/20190402/file_EMEA_IRE_DUB_8964_txt If there is a way to grab the file name between "file_" and a numeric digit ([0-9]) , it ll help . ... View more

Field extraction from source field

by in Splunk Search
‎04-03-2019 07:15 AM
‎04-03-2019 07:15 AM
I have my Splunk source in the format below : source=/default/folder/20190403/file_PARADOX_7747_txt I am trying to only pick the file name from the source to do some analysis & unable to get rid of unwanted process id appended at the end i.e., I only need PARADOX from the above. Below is the closest I have got so far , however I am unable to separate the process id from the file name rex field=source "(?<logdir>[\w\W/]+)/file_(?<filename>[^.]+)_txt" logdir : /default/folder/20190403/ filename : PARADOX_7747 Ideally, I would like the below output : logdir : /default/folder/ date : 20190403 processid : 7747 filename : PARADOX extension : txt Any help is appreciated . Thank you. ... View more

Re: How to search the time difference between tran...

by in Splunk Search
‎06-22-2016 09:59 PM
1 Karma
‎06-22-2016 09:59 PM
1 Karma
@sundareshr : Thanks for your help ! I slightly modified your answer & got it to work index=abc* source="abc.log" "ResponseStatus = SUCCESS" OR "RequestStatus=Sent" | eval sid=coalesce(replace(sessionId,"'",""), messageId) | stats range(_time) as duration by sid ... View more

How to search the time difference between transact...

by in Splunk Search
‎06-22-2016 07:34 AM
‎06-22-2016 07:34 AM
I have three statements in my log file for each transaction like below: index=abc* source="abc.log" 2410286283_b310-3358a1229709 INFO 22/Jun/2016 13:52:21.318 [ Thread-2 ] INFO : ResponsePoll - [STEP_ID = checkStatus ]{ message = "Status from server" , messageId = 2410286283_b310-3358a1229709, ResponseStatus = SUCCESS } 22/Jun/2016 13:52:20.957 [ cacher-0 ] INFO : cacher - Cached [AppResponse{messageId='2410286283_b310-3358a1229709', responseSubscriberName='client01'}] 22/Jun/2016 13:52:05.191 [ sender-3 ] INFO : MessageService - [RequestStatus=Sent, Request=SuperVO{sessionId='2410286283_b310-3358a1229709', responseSubscriberName='client01'}] I need to calculate the time between the statements having keyword ResponseStatus = SUCCESS and RequestStatus=Sent for each of the ID's like 2410286283_b310-3358a1229709. In the above case, I should get a result as: 2410286283_b310-3358a1229709 00:00:16:127 I would like to do this for various ID's in my logs through Splunk. Due to different naming standards followed in request & response for the ID, I am unable to think of a way to do this. Any insights or help appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-03-2021 11:51 PM
Karma from
Karma given to