Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About atulitm
atulitm
Path Finder
Member since:
12-22-2016
06-05-2020
Community Statistics
| Posts | 42 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-22-2016 |
Activity Feed
- Posted Search for field Link if it changed its value and when it changed on Splunk Search. 05-18-2020 03:34 AM
- Posted Re: Search for variable Link value which changed and when it changed on Splunk Search. 05-18-2020 02:09 AM
- Posted Re: Search for variable Link value which changed and when it changed on Splunk Search. 05-18-2020 01:57 AM
- Posted Re: How to combine two searches to compare and find values present in one but not other on Splunk Search. 05-15-2020 10:01 PM
- Posted Re: How to combine two searches to compare and find values present in one but not other on Splunk Search. 05-15-2020 10:38 AM
- Posted How to combine two searches to compare and find values present in one but not other on Splunk Search. 05-15-2020 07:38 AM
- Tagged How to combine two searches to compare and find values present in one but not other on Splunk Search. 05-15-2020 07:38 AM
- Posted Re: Difference in columns as output of 2 different searches on Splunk Search. 05-15-2020 04:17 AM
- Posted Difference in columns as output of 2 different searches on Splunk Search. 05-15-2020 03:07 AM
- Tagged Difference in columns as output of 2 different searches on Splunk Search. 05-15-2020 03:07 AM
- Posted Re: Search for variable Link value which changed and when it changed on Splunk Search. 05-12-2020 02:51 AM
- Posted Re: Search for variable Link value which changed and when it changed on Splunk Search. 05-11-2020 07:14 AM
- Posted Re: Search for variable Link value which changed and when it changed on Splunk Search. 05-11-2020 07:14 AM
- Posted Search for variable Link value which changed and when it changed on Splunk Search. 05-11-2020 06:02 AM
- Posted Re: Comparing Field Value with last Month Value and show if different on Splunk Search. 06-04-2019 02:07 AM
- Posted Re: Comparing Field Value with last Month Value and show if different on Splunk Search. 06-04-2019 01:50 AM
- Posted Comparing Field Value with last Month Value and show if different on Splunk Search. 06-04-2019 01:12 AM
- Tagged Comparing Field Value with last Month Value and show if different on Splunk Search. 06-04-2019 01:12 AM
- Posted Re: Can you help me with the following timechart query? on Splunk Search. 12-14-2018 03:13 AM
- Posted Re: Can you help me with the following timechart query? on Splunk Search. 12-14-2018 03:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-18-2020
03:34 AM
Date="8 May 2020" Link="X" Status="UP"
Date="9 May 2020" Link="Y" Status="DOWN"
Date="10 May 2020" Link="X" Status="UP"
Date="11 May 2020" Link="X" Status="DOWN"
Date="12 May 2020" Link="Y" Status="UP"
Date="13 May 2020" Link="X" Status="DOWN"
I am getting logs on daily basis in above format and data . I am looking to find field Link whose Status went down but never came up and on which date it went DOWN . For example in above case , Link X went down on 11 May but log on 13 May shows its still down so it went down on 11th and is down since 2 days . Following query works but issue is streamstats capture 10000 events by default so it doesn't get data for all links as logs are more than that .
|makeresults
| eval _raw="Date=\"8 May 2020\" Link=\"X\" Status=\"UP\"
Date=\"9 May 2020\" Link=\"Y\" Status=\"DOWN\"
Date=\"10 May 2020\" Link=\"X\" Status=\"UP\"
Date=\"11 May 2020\" Link=\"X\" Status=\"DOWN\"
Date=\"12 May 2020\" Link=\"Y\" Status=\"UP\"
Date=\"13 May 2020\" Link=\"X\" Status=\"DOWN\""
| multikv noheader=t
| kv
| table Date Link Status
| eval Date=strptime(Date,"%d %B %Y")
| fieldformat Date=strftime(Date,"%F")
| sort Link Date
| streamstats current=f last(Status) as prev by Link
| streamstats count(eval(Status!=prev)) as changed by Link
| eventstats last(changed) as session by Link
| where changed==session
| stats min(Date) as start max(Date) as end values(Status) as Status by session Link
| where Status="DOWN"
| convert ctime(start) ctime(end) timeformat="%F"
... View more
05-18-2020
02:09 AM
I unaccepted because it doesn't resolve the issue completely but thats true it resolve the original question . i will raise another question for corresponding issue then . No problem , accepted it solution for original query .
... View more
05-18-2020
01:57 AM
@to4kawa above query works but i see issue being that streamstats reaches limits as number of logs are more than 10000 so it doesnt work . is there any workaround for same thanks .
... View more
05-15-2020
10:01 PM
I didn't understood logic behind how formatted data of source=test.txt will be removed from source=test1.txt but this doesn't work it shows exact data in source=test1.txt .
... View more
05-15-2020
10:38 AM
This doesnt work because source=test.txt has 2 more fields in logs so it will not be able to remove because logs will have few more variables hence not exact match to subtract test.txt from test1.txt .
device_name="alpha" pool_name="a" x_name="" y_name=""
... View more
05-15-2020
07:38 AM
Hello ,
I have data from 2 diff source with same fields as shown below :
index= sourcetype= source= test.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="c"
index= sourcetype= source=test1.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="z"
eval actual_pools = toString(device_name) + ";" + toString(pool_name)
I am looking for field actual_pools using raw data which i created above which exist in source=test1.txt but not in source=test.txt . tried using join and append but unable to compare .
Please help with the same , thanks.
... View more
05-15-2020
04:17 AM
It doesn't work may be because sorry I think i didn't put question in Splunk language there are not files but source of date , changed details below as per splunk names :
I have data from 2 diff source with same fields as shown below :
index=* sourcetype=* source= test.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="c"
index=* sourcetype=* source=test1.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="z"
eval actual_pools = toString(device_name) + ";" + toString(pool_name)
I am looking for field actual_pools using raw data which i created above which exist in source=test1.txt but not in source=test.txt . Thanks for help .
... View more
05-15-2020
03:07 AM
Hello ,
I have data from 2 diff source with same fields as shown below :
index= sourcetype= source= test.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="c"
index= sourcetype= source=test1.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="z"
eval actual_pools = toString(device_name) + ";" + toString(pool_name)
I am looking for field actual_pools using raw data which i created above which exist in source=test1.txt but not in source=test.txt
Thanks
... View more
05-12-2020
02:51 AM
This works as expected with few changes for my other need . Thank you !!
... View more
05-11-2020
07:14 AM
Date="9 May 2020" Link="Y" Status="DOWN"
Date="10 May 2020" Link="X" Status="UP"
Date="11 May 2020" Link="X" Status="DOWN"
Date="12 May 2020" Link="Y" Status="UP"
Date="13 May 2020" Link="X" Status="DOWN"
Variable Link is shows in Logs above with below requirement :
For example variable Link "X" went down on 10th May but log on 13th May shows its still down .
and query should not show Link Y as output because it went down on 9th May but last logs shows its up now as in last log . Hope this clarifies what i am looking for thanks .
... View more
05-11-2020
07:14 AM
Actually this i already tried this but this shows last logs which mean which is down but not up but it doesnt show when it went down . For example it below case , Link X went down on 11 May but log on 13 May shows its still down .
Date="9 May 2020" Link="Y" Status="DOWN"
Date="10 May 2020" Link="X" Status="UP"
Date="11 May 2020" Link="X" Status="DOWN"
Date="12 May 2020" Link="Y" Status="UP"
Date="13 May 2020" Link="X" Status="DOWN"
... View more
05-11-2020
06:02 AM
Date="8 May 2020" Link="X" Status="UP" Date="9 May 2020" Link="Y" Status="DOWN" Date="10 May 2020" Link="X" Status="UP" Date="11 May 2020" Link="X" Status="DOWN" Date="12 May 2020" Link="Y" Status="UP"
I am getting logs on daily basis in above format and data . I am looking to find variable Link whose Status went down but never came up and on which date it went DOWN . Can someone please help with same , thanks
... View more
- Tags:
- splunk-cloud
Labels
- Labels:
-
stats
06-04-2019
02:07 AM
Thanks David . I will try to create one .
... View more
06-04-2019
01:50 AM
Thanks David , It works . is there any way i can look for last log by device instead of earliest which will show the oldest log in time frame mentioned instead . Like if i have 5 log entries for same device in last 7 days and i want to check only last log and latest log by Device for difference in BW_Limit . is that possible to do .
... View more
06-04-2019
01:12 AM
Hi , I need help with following Log :
5th May device="devicename" policy="XYZ" BW_Limit="any number" Total_BW="any number"
4th June device="devicename" policy="XYZ" BW_Limit="any number" Total_BW="any number"
I have multiple logs coming for different devices like above and i would like to compare BW_Limit variable with last month value of same variable for different devices and then show only for those devices which have different BW_Limit value in latest month so i can find out which all devices have BW_Limit got changed and table last month BW_Limit and this month changed BW_Limit value . Unable to get this working and would need help
... View more
- Tags:
- chart
12-14-2018
03:13 AM
This works like charm . I didnt knew i can use timechart command like that too . Thanks for help .
... View more
12-14-2018
03:12 AM
This stats query doesnt work as i am expecting output in chart .
... View more
12-11-2018
03:25 AM
index=X sourcetype=X source=X | timechart first(percentage_allocation) as percentage_allocation by devicename
I am facing an issue with the following query, in case, where there are multiple logs with a different variable named "link" and I would like to use that as a data search like :
devicename=a percentage_allocation=1 link=a
devicename=a percentage_allocation=2 link=a
devicename=a percentage_allocation=3 link=b
Above query will look for the first log of percentage_allocation by devicename in that month and show percentage allocation, but i would like to make sure it shows me on a basis of different links as well, but I can't see any option to use any function to get data on a basis of new variable which is "link" in timechart as it allows only BY keyword and OVER is already for time.
Can i use a 3rd variable as a data qualifier?
... View more
- Tags:
- timechart
12-11-2018
12:59 AM
Oops missed , My fault . Thanks for help .
... View more
12-11-2018
12:29 AM
Hi
i need help with a dynamic list on my dashboard. I have this message : "Duplicate values causing conflict" . I can execute a query without any issues and without any duplicate values. I tried changing the query by using the TOP command, but it isn't helping:
index= X sourcetype=X source=X | top 10 vendor
...........................
<form>
<label>Office - Location Connectivity</label>
<fieldset submitButton="false">
<input type="dropdown" token="site_name" searchWhenChanged="true">
<label>Please select Office Code for which you would like to see Data</label>
<fieldForLabel>site_name</fieldForLabel>
<fieldForValue>site_name</fieldForValue>
<search>
<query>index= X sourcetype=X source=X | dedup vendor | table vendor</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<choice value="*">None</choice>
</input>
</fieldset>
</form>
... View more
03-09-2018
02:01 AM
Actually i noticed this query is looking for first down event and then up event which occured after 10 days but instead i would like to have query to check time difference between 2 consecutive logs and see if time difference is more than days to check downtime , i want the duration between each Down and Up status as Downtime trending and check for duration between each cosequetive up and down event for downtime which is greater than 10 days .
... View more
03-09-2018
01:57 AM
@niketnilay :
Sorry for confusion , Actually i noticed this query is looking for first down event and then up event which occured after 10 days but instead i would like to have query to check time difference between 2 consecutive logs and see if time difference is more than days to check downtime , As you said i want the duration between each Down and Up status as Downtime trending and check for duration between each cosequetive up and down event for downtime which is greater than 10 days .
... View more
03-08-2018
07:43 AM
Sorry , Actually this doesnt work because log exactly is like this which contains which is variable , not sure how to get that variable things
1 jan neibhor up
10 jan jan neibhor down Notification Sent
20 jan neibhor up
30 jan neibhor down Notification Sent
... View more
03-08-2018
05:09 AM
Example Logs(ignore time format as it is as expected by splunk :
1 jan neibhor is up
10 jan jan neibhor is down
20 jan neibhor is up
30 jan neibhor is down
1 feb neibhor is up
I will like to see time diff between down log and up log and if its more than 10 days then show when it went down and came up in table . I was able to see last down event and since when but couldnt get it working what i need .
index= "neighbor" AND Up OR Down | rex "neighbor (?\d+.\d+.\d+.\d+) (?\w+") | dedup host | where status = "Down" | eval "Down Since" = toString(date_mday) + " " + toString(date_month) + " " + toString(date_year)| table host ip status "Down Since"
... View more
02-21-2018
05:14 AM
Thanks for help frank . I need to improve myself on regex .
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
