Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About piefragnisp
piefragnisp
Explorer
Member since:
10-31-2019
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 10-31-2019 |
Activity Feed
- Posted Re: Add a column with count stats in addition to an existing column with avarage stats on Splunk Search. 03-16-2020 06:38 AM
- Posted Add a column with count stats in addition to an existing column with avarage stats on Splunk Search. 03-16-2020 05:06 AM
- Tagged Add a column with count stats in addition to an existing column with avarage stats on Splunk Search. 03-16-2020 05:06 AM
- Tagged Add a column with count stats in addition to an existing column with avarage stats on Splunk Search. 03-16-2020 05:06 AM
- Posted Re: Changes in `values` function from 8.x version on Splunk Search. 02-18-2020 12:08 AM
- Posted Changes in `values` function from 8.x version on Splunk Search. 02-17-2020 07:38 AM
- Tagged Changes in `values` function from 8.x version on Splunk Search. 02-17-2020 07:38 AM
- Tagged Changes in `values` function from 8.x version on Splunk Search. 02-17-2020 07:38 AM
- Tagged Changes in `values` function from 8.x version on Splunk Search. 02-17-2020 07:38 AM
- Tagged Changes in `values` function from 8.x version on Splunk Search. 02-17-2020 07:38 AM
- Posted Re: How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 12-04-2019 01:14 AM
- Posted Re: How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 11-07-2019 07:11 AM
- Posted Re: How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 11-06-2019 07:08 AM
- Posted Re: How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 11-05-2019 11:50 PM
- Posted How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 10-31-2019 01:26 AM
- Tagged How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 10-31-2019 01:26 AM
- Tagged How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 10-31-2019 01:26 AM
- Tagged How to extract in Splunk at index time (with tstats) json field with same child-key from different father-key using regex? on Splunk Search. 10-31-2019 01:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-16-2020
06:38 AM
@to4kawa just tried but seems not wotking
| tstats values where index=my_index by callee, timestampStart, timestampEnd | eval duration = (strptime(timestampEnd, "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(timestampStart, "%Y-%m-%dT%H:%M:%S.%6N%Z")) | stats avg(duration) as duration by callee | eval duration=round(duration,2) | append [| tstats count where index=my_index by callee]
In addition I've tried this
| tstats values where index=my_index by callee,caller, timestampStart, timestampEnd | eval duration = round((strptime(termine, "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(inizio, "%Y-%m-%dT%H:%M:%S.%6N%Z")),2)| stats avg(duration) as duration , count(callee) as total by callee | eval duration=round(duration,2) | table callee, caller, duration, total
and seems working
... View more
03-16-2020
05:06 AM
I have a json file with some information regarding soa requests. Basically info such as callee, caller, start and end timestamp of a request (write me if you want more details).
By the way I have a splunk-query to group all the events by the callee and calculate the average duration of the difference between end and start timestamp.
Something like this:
| tstats values where index=my_index by callee, timestampStart, timestampEnd | eval duration= round((strptime(timestampEnd , "%Y-%m-%dT%H:%M:%S.%6N%Z") - strptime(timestampStart, "%Y-%m-%dT%H:%M:%S.%6N%Z")),2)| stats avg(duration) as duration by callee| eval duration=round(duration,2) |table callee, duration
In addition to the avarage duration I would also add a column with the count of all events regarding that callee but (if I understand well) I can do this only with a Tstats count.
Any ideas?
Thank a lot
... View more
02-18-2020
12:08 AM
@to4kawa thanks. We saw the doc and probably we missed something: can you show us the point in the doc answering our question?
We don't understand how to refactor our query in order to be 8.x compatible.
Thanks
... View more
02-17-2020
07:38 AM
Hi,
we are testing a 8.* of Splunk version using a docker image on a POC virtual machine to migrate our 7.3.4 dev cluster.
We've noticed there is a change in values function in tstats command:
7.3.4 version the values function can have no inputs params
8.x version the values() function must have an input param
so - for example - for a query like this:
| tstats values where index=our_index by fieldA, fieldB | rename fieldA as A, fieldB as B| where like(A,"%some_criteria%") OR like(A,"%some_criteria%") | dedup A | dedup B
we have some difficults understanding the equivalent search in a 8.x Splunk. We tried a query like this one:
| tstats values(fieldA), values(fieldB) where index=our_index by fieldA, fieldB | rename fieldA as A, fieldB as B| where like(A,"%some_criteria%") OR like(A,"%some_criteria%") | dedup A | dedup B
but we don't know if it's the right way because in the output we have two more columns:
values(A)
values(B)
with the same values of columns A and B. Do you have any suggest for this particular case or any docs in order to study these changes?
Thanks a lot.
... View more
12-04-2019
01:14 AM
We solve it using these regex:
[called_id]
REGEX = (?:info":{)(?:[\s\S]*?)(?:"called":{)(?:[\s\S]*?)(?:"id":)(?:(?:(?:")([^"]*)(?:"))|(null))(?:(?:[\}])|,)(?:(?:[^}]*)(?:}))
FORMAT = chiamato::"$1"
WRITE_META = true
[caller_id]
REGEX = (?:info":{)(?:[\s\S]*?)(?:"caller":{)(?:[\s\S]*?)(?:"id":)(?:(?:(?:")([^"]*)(?:"))|(null))(?:(?:[\}])|,)(?:(?:[^}]*)(?:}))
FORMAT = chiamante::"$1"
WRITE_META = true
in transforms.conf
TRANSFORMS-callee_id = callee_id
TRANSFORMS-caller_id = caller_id
and enabling the fields in field.conf
Hope will help other people.
... View more
11-07-2019
07:11 AM
@wenthold We fixed it adding WRITE_META = true in the transformation.conf; anyway running a search it extract only two fields (keeping the event I gave to you):
called (with the caller id): "Assegni"
caller (with the called id): "VWFM"
It seems to forget the callerversion and the calledversion
... View more
11-06-2019
07:08 AM
From the deployment server cli do you mean?
... View more
11-05-2019
11:50 PM
@wenthold this is how I've configured based on your tweaks:
in transformation.conf
[caller]
REGEX = caller\"\s*:\s*\{\s*\"id\":\s*\"(?<callerid>[^\"]+)?\"\,\s*\"version\":\s*\"(?<callerversion>[^\"]+)?\"
[called]
REGEX = called\":\s*\{\s*\"id\":\s*\"(?<calledid>[^\"]+)?\"\,\s*\"version\":\s*\"(?<calledversion>[^\"]+)?\"
in fields.conf
[caller]
INDEXED = true
[called]
INDEXED = true
in props.conf
[evento_srctyp]
TRANSFORMS-caller = caller
TRANSFORMS-called = called
then I tried to perform a search like
| tstats values where index=nbp_index_application by callerid
but I had no results. Also if I search in the extracted fields I don't found the fields callerid , callerversion , calledid , calledversion
... View more
10-31-2019
01:26 AM
We have to model a regex in order to extract in Splunk (at index time) some fileds from our event. These fields will be used in search using the tstats command. The regex will be used in a configuration file in Splunk settings transformation.conf .
The main aspect of the fields we want extract at index time is that they have the same json key but a different father json-key.
Is it possible modelling this extraction using regex?
This is an example of Splunk event having the structure described before (json by the way):
{
"info":{
"eventSource":"",
"sourceType":"I/O",
"status":{
"code":"",
"msg":"",
"msgError":""
},
"transactionId":null,
"traceId":null,
"timestampStart":"2019-05-16T21:30:55.174Z",
"timestampEnd":"2019-05-16T21:30:55.174Z",
"companyIDCode":"",
"channelIDCode":"",
"branchCode":"",
"searchFields":{
"key_3":"value",
"key_2":"value",
"key_1":"value"
},
"annotation":{},
"caller":{
"id":"",
"version":"",
"acronym":""
},
"called":{
"id":"",
"version":"",
"acronym":""
},
"storage":{
"id":"",
"start":"",
"end":""
}
}
},
"headers":[],
"payLoad":{
"input":{
"encoding":"1024",
"ccsid":"1024",
"data":"dati_in"
},
"output":{
"encoding":"1024",
"ccsid":"1024",
"data":"dati_out"
}
}
}
The attended result is something like that:
calledid -> aaa
callerversion -> 1
callerid -> bbb
We tried something like that
[calledid]
REGEX =(?<=called).*"id":"(?P<calledid>.*?)(?=")
FORMAT = calledid::"$1"
WRITE_META =true
but it dowsn't work cause it matches until the last id he finds. Such as:
":{"id":"","version":"","acronym":""},"storage":{"id":"
Thanks in advance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
