Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About arungeorge09
arungeorge09
Path Finder
Member since:
09-05-2013
06-05-2020
Community Statistics
| Posts | 30 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 09-05-2013 |
Activity Feed
- Karma Re: How do I extract fields from a json object (serialized) and put it back to splunk index? for tom_frotscher. 06-05-2020 12:47 AM
- Karma Re: How do I search using an evaluated numeric field for somesoni2. 06-05-2020 12:47 AM
- Got Karma for Re: Join 2 searches and finding the difference in the output.. 06-05-2020 12:47 AM
- Karma Re: how to display percentage of total for Ayn. 06-05-2020 12:46 AM
- Posted How do I split the output of the join in Splunk on Splunk Search. 09-07-2015 12:01 AM
- Tagged How do I split the output of the join in Splunk on Splunk Search. 09-07-2015 12:01 AM
- Tagged How do I split the output of the join in Splunk on Splunk Search. 09-07-2015 12:01 AM
- Posted Re: How to search multiple value on the same field on Splunk Search. 02-02-2015 05:24 AM
- Posted Re: How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 12:04 PM
- Posted Re: How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 11:26 AM
- Posted Re: How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 11:16 AM
- Posted Re: How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 10:48 AM
- Posted How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 10:29 AM
- Tagged How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 10:29 AM
- Tagged How do I search using an evaluated numeric field on Splunk Search. 01-13-2015 10:29 AM
- Posted Re: How do you do disjunction of two sets in join condition on Splunk Search. 12-15-2014 08:37 PM
- Posted Re: How do you do disjunction of two sets in join condition on Splunk Search. 12-15-2014 08:08 AM
- Posted Re: How do you do disjunction of two sets in join condition on Splunk Search. 12-15-2014 07:08 AM
- Posted Re: Join 2 searches and finding the difference in the output. on Splunk Search. 12-15-2014 06:54 AM
- Posted How do you do disjunction of two sets in join condition on Splunk Search. 12-15-2014 06:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-07-2015
12:01 AM
I have a splunk join between a synchornous event and an asynchornous event. The only join condition between these are just a correlation id. I am able to get the join but I want to now know what are the actual reason which caused it and would like to see the part of a join . How do I do that.
index=xyz platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=xyz event=cloudPns* ] | stats count by responseCode
Now if the responseCode is 8 then I have a problem but I want to see all the events with event=cloudPns* alone for this join condition .
I tried where but it gave me 0 results.
what I tried is this:
index=qa-speed platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=qa-speed event=cloudPns* ] |search where event=cloudPns*
How do I achieve this . I basically want to see the output of the right part of the join.
... View more
02-02-2015
05:24 AM
How do I construct a query with this.?
... View more
01-13-2015
12:04 PM
Nope its not working . Do you know why. I need this for some other requirement.
index=xyz event="NEAT-IN" platform=apns |eval epochT=relative_time(now(), "-3d@d") | eval day=tonumber(strftime(epochT,"%d")) |eval nDay=tonumber(date_mday)| fields nDay,day,*|search nDay=day
... View more
01-13-2015
11:26 AM
This is working man yes. I need to still understand what is being done here and why the simple query is not. what is gentimes . why a subquery required
... View more
01-13-2015
11:16 AM
I have already a field called date_mday . I just need to match it. Here is my problem.
Following is my data
12/13/14 10:23:17.489 AM <167>1 2014-12-12T21:53:17.489-07:00 x.y.com neat 6627 apns [meta@28281 sequenceId="70840" sysUpTime="1093867625"][analytics@28281 event="NEAT-IN" platform="APNS"] {"timestamp":"1418446397487","platform":"apns","alertId":"142900204","appId":"appId","args":{},"deviceToken":"devToen","alert":"Message"}
As you can see I can't rely on _time as this is different and hence my dashboard queries with earliest=-1d@d is wrong. I instead want _time to be the time stamp after '<167> 1'. How do I do that. So my solution was to use the parsed fields date_mday which actually represents this second timestamp and match with current time and then use this inside dashboard query.
... View more
01-13-2015
10:48 AM
Anybody knows how do I do this. This is very simple query but simply not working.
... View more
01-13-2015
10:29 AM
index=xxx event="NEAT-IN" platform=apns |eval epochT=relative_time(now(), "-2d@d") | eval day= strftime(epochT,"%d") | eval month=strftime(epochT,"%m")| eval year=strftime(epochT,"%Y") |fields day,*| search date_mday=day
This search is not working as expected. If I list the results I can see 11,11 for table date_mday,day .
... View more
12-15-2014
08:37 PM
@somesoni2 . The query works but it gives me zero results.
I have 578 distinct count(alertId) in first search
I have 488 distinct count(txId) in second search
I still don't understand why I will get 0 results.
Note: It should be isnull(alertId) because alertId is on the right table.
... View more
12-15-2014
08:08 AM
I have 2 searches with a join condition txId . But I know that the second subsearch does not have same items. I want it as raw events. I tried the following
index=xyz event="NEAT-IN" platform=apns | eval txId=alertId |join txId [search index=xyz event=pushApns] | where isnull(txId)
Why this does not work. I got 0 events. This is not correct. There are less events in second subsearch based on stats.
I have a dashboard to prepare and really appreciate the help.
... View more
12-15-2014
07:08 AM
Can someone please answer . I am looking for a minus query.
... View more
12-15-2014
06:54 AM
But event can be only pushApns or NEAT-IN
... View more
12-15-2014
06:53 AM
I have a common field and 2 joins and want to work on the data which does not fall in the join condition.
... View more
- Tags:
- join
12-15-2014
06:30 AM
Why not the previous one.
... View more
12-15-2014
04:56 AM
NEAT-IN
<167>1 2014-12-14T18:23:49.908-07:00 x.y.com neat 901 apns [meta@28281 sequenceId="69599" sysUpTime="1109890868"][analytics@28281 event="NEAT-IN" platform="APNS"] {"timestamp":"1418606629897","platform":"apns","alertId":"1404841346","appId":"appId","args":{"time":"1418606629788","batch":"48288","tms_id":"tmsId","src":"src"},"deviceToken":"devToken","alert":"Exciting Game"}
pushApns
<167>1 2014-12-14T18:23:49.909-07:00 x.y.com neat 6627 apns [meta@28281 sequenceId="71272" sysUpTime="1109890867"][analytics@28281 event="pushApns" platform="APNS" outcome="0" errorCode="0" errorDesc="Push to apns success" errorContext="TCP-SSL" operation="PUSH_APNS" opTime="0" startTime="1418606629908" appId="appId" deviceToken="devToken" args="{\"time\":\"1418606629788\",\"batch\":\"48288\",\"tms_id\":\"tms_id\",\"src\":\"src\"}" txId="2099269910"]
... View more
12-15-2014
04:48 AM
Now both counts are coming as 578.
Query used:
index=xyz event="NEAT-IN" platform="APNS" OR event="push*"
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(if(match(event, push) , 1, 0 ))) AS count_push by platform
The output is 578,578 . This is not correct @MuS.
It should be 578,488
Any Idea what is happening.
... View more
12-15-2014
04:22 AM
@Mus Executed the query but count_push is coming as zero . Looks like splunk does not do count(eval(event="push*"))
... View more
12-15-2014
02:19 AM
Not understanding how the count got goofed up
... View more
12-15-2014
02:16 AM
event="NEAT-IN" has 578 count
event="pushApns" has only 488 count
I want to know which 578-488 are the missing ones and do further query on them
... View more
12-15-2014
02:14 AM
I have 2 searches and there counts are different. I want to find the rows which don't join.
... View more
12-15-2014
02:12 AM
1 Karma
My two searches are here.
index=xyz event="NEAT-IN" platform="APNS" | join type=inner platform,batch [search index=xyz event="push*"] | stats count(event)
Each individual query count is different but when joined it always counts the joined count as the largest count.
... View more
12-15-2014
01:54 AM
I want to join 2 queries by a common field and the counts of the searches are different. I want to work on the dataset which does not join.
... View more
- Tags:
- join
12-15-2014
01:45 AM
Its a calculated field
... View more
11-17-2014
03:37 AM
Worked. Thanks Tom. Why does not it work with my regexp . Can you explain
... View more
11-16-2014
11:29 PM
Sample data:
<167>1 2014-11-15T16:45:44.542-07:00 host.name.com neat 11151 gcm [meta@28281 sequenceId="43096" sysUpTime="858744854"][analytics@28281 event="pushGcm" platform="GCM" outcome="0" errorCode="0" errorDesc="Push to apns success" errorContext="TCP-SSL" operation="PUSH_GCM" opTime="46" startTime="1416095144542" appId="appId" deviceToken="token" args="{\"time\":\"1416095144194\",\"batch\":\"26966\",\"tms_id\":\"tmsid\",\"src\":\"src\"}" txId="907472412"]
I want to extract the args and put it back in its appropriate fields . I know I can use Field Extractions and Field transformations but not working.
Field Transformation
Name:NEAT_BATCH
Rex: batch\\\\\":\\\\\"(?.*?)\\\\\",
Field Extraction
Name:NEAT_BATCH
... View more
11-16-2014
10:56 PM
I have my working query now which is pretty complex but does the job 😉
earliest="@w0" index=slingneat event="push*" | rex field=_raw "\\\\\"time\\\\\":\\\\\"(?.*?)\\\\\",\\\\\"batch\\\\\":\\\\\"(?.*?)\\\\\",\\\\\"tms_id\\\\\":\\\\\"(?.*?)\\\\\",\\\\\"src\\\\\":\\\\\"(?.*?)\\\\\"" | eval batch=batch|eval tms_id=tms_id | eval time=time | eval src=src | eval batch_id=batch | eval pns_platform=platform|eval batchPlatform=batch."#".platform| join pns_platform [search index= analyticslogs table_name="neat" ]|eval alert_text=urldecode(alert_text)|eval formatted_time=strftime(time/1000,"%F %T") |stats count(event) as noofalerts by neat_client_app,os_ver,batch, formatted_time,alert_text| table neat_client_app ,os_ver, formatted_time,alert_text,batch, noofalerts
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
