Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ak9092
ak9092
Path Finder
Member since:
11-01-2019
Community Statistics
| Posts | 30 |
| Solutions | 1 |
| Karma Given | 9 |
| Karma Received | 1 |
| Member Since | 11-01-2019 |
Activity Feed
- Karma Re: How to create a report that appends the data of every past month in the excel before sending for ITWhisperer. 09-25-2020 05:35 AM
- Posted Re: How to create a report that appends the data of every past month in the excel before sending on Splunk Search. 09-25-2020 02:07 AM
- Posted Re: How to create a report that appends the data of every past month in the excel before sending on Splunk Search. 09-08-2020 05:41 AM
- Tagged How to create a report that appends the data of every past month in the excel before sending on Splunk Search. 09-06-2020 07:34 AM
- Posted How to create a report that appends the data of every past month in the excel before sending on Splunk Search. 09-06-2020 07:28 AM
- Posted Re: How to calculate for what duration the status was in a particular state on Splunk Enterprise Security. 08-31-2020 02:42 AM
- Karma Re: How to calculate for what duration the status was in a particular state for thambisetty. 08-31-2020 02:42 AM
- Karma Re: Bar Chart Color change for dynamically changing string values of one field for niketnilay. 08-31-2020 01:47 AM
- Posted Re: Bar Chart Color change for dynamically changing string values of one field on Dashboards & Visualizations. 08-31-2020 01:46 AM
- Posted How to calculate for what duration the status was in a particular state on Splunk Enterprise Security. 08-30-2020 04:12 AM
- Tagged How to calculate for what duration the status was in a particular state on Splunk Enterprise Security. 08-30-2020 04:12 AM
- Posted Re: Bar Chart Color change for dynamically changing string values of one field on Dashboards & Visualizations. 08-30-2020 02:49 AM
- Tagged Bar Chart Color change for dynamically changing string values of one field on Dashboards & Visualizations. 08-28-2020 01:09 AM
- Tagged Bar Chart Color change for dynamically changing string values of one field on Dashboards & Visualizations. 08-28-2020 01:09 AM
- Posted Bar Chart Color change for dynamically changing string values of one field on Dashboards & Visualizations. 08-28-2020 01:08 AM
- Posted Re: Drilldown to Show Source on Dashboards & Visualizations. 08-07-2020 05:52 AM
- Posted Re: How to format raw events into splunk table when the events are already in tabular format on Getting Data In. 07-10-2020 05:06 AM
- Karma Re: How to format raw events into splunk table when the events are already in tabular format for bowesmana. 07-10-2020 05:06 AM
- Posted Re: How to format raw events into splunk table when the events are already in tabular format on Getting Data In. 07-08-2020 11:09 PM
- Posted Re: How to compare and match timestamp of one field with the latest timestamp of other field before calculating duration on Splunk Search. 07-08-2020 05:00 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
09-25-2020
02:07 AM
Thank You @thambisetty for your response , but its not appending the results as i want. Its creating whole new row of results. So for e.g - i currently i have following data present in my csv file title 07 Jul 2020 08 Aug 2020 Title1 99.998 99.561 Title2 99.700 99.760 Title3 99.989 99.973 now when i append the new data for the month of September, then I want it to append just the Months column like below - title 07 Jul 2020 08 Aug 2020 09 Sep 2020 Title1 99.998 99.561 99.577 Title2 99.700 99.760 99.389 Title3 99.989 99.973 99.123 but its appending the results like below. title 07 Jul 2020 08 Aug 2020 09 Sep 2020 Title1 99.998 99.561 Title2 99.700 99.760 Title3 99.989 99.973 Title1 99.577 Title2 99.389 Title3 99.123 How do i fix this ?
... View more
09-08-2020
05:41 AM
Hi @thambisetty , thank you. I am now able to get the data in below format in splunk - title 07 Jul 2020 08 Aug 2020 title 07 Jul 2020 08 Aug 2020 Title1 99.998 99.561 Title2 99.700 99.760 Title3 99.989 99.973 is there a way to just append it to a csv file every month ? For example i will store this file on search head and on 1st of October i will like to append data for month of September in the csv before sending. If so ,then what changes i would need to make in following search so that it just adds the latest months data - my search .. | fillnull value=1000 response_code | eval success=case(response_code>=400, 0, timed_out == "True", 0, response_code="",0) | fillnull value=1 success | eval month=strftime(_time,"%m %b %Y") | stats count as total, sum(success) as successes by title month | eval availability=round(100*(successes/total),3) | chart list(availability) over title by month | eval month=replace(month, "\d+ (.*)","\1") Also I had added the month_num(%m) to sort the data by month but when i am trying to remove it using replace its not working. what am i doing wrong there any idea ?
... View more
09-06-2020
07:28 AM
Hi, I want to create a report through splunk that will send out an email consisting data of each months stats by auto appending the excel file with the past months data before sending. Following is my query which gives me the required data. Now i don't know how to distribute that data by month and then append in some excel file and send it through over email. my search.. | fillnull value=1000 response_code | eval success=case(response_code>=400, 0, timed_out == "True", 0, response_code="",0) | fillnull value=1 success |stats count as total, sum(success) as successes by title | eval availability=round(100*(successes/total),2) |stats count by title availability I want the data in excel file to look something like below - I want this to be done automatically through Splunk Schedule reports at the beginning of each month. Can someone please help me figure out a way if its possible through Splunk ? Thanks in advance.
... View more
Labels
- Labels:
-
lookup
08-31-2020
02:42 AM
@thambisetty this helps.. Thank You!!
... View more
08-31-2020
01:46 AM
oops ..my bad @niketnilay . Actually i did use sort before, but was viewing data in stats table itself and since the values was separated didn't paid much attention that it had already sorted 🙂 ..anyways thanks again for your help
... View more
08-30-2020
04:12 AM
Hi, I have a transaction that goes through multiple Status before its completed. Now the challenge I am facing here is , one status can be mapped multiple time before the transaction is completed and in some cases the same status can keep repeated until its move to the next state - For example ,my logs look something like below for one transaction ID - (Note-there can be many more statuses other than the one's below) 2020-08-27 08:00:40.000, ID="20", STATUS="CREATE" 2020-08-27 08:01:11.000, ID="20", STATUS="POST" 2020-08-27 08:01:42.000, ID="20", STATUS="POST" 2020-08-27 08:02:24.000, ID="20", STATUS="POST" 2020-08-27 08:03:46.000, ID="20", STATUS="REPAIR" 2020-08-27 08:03:56.000, ID="20", STATUS="PENDING" 2020-08-27 08:04:00.000, ID="20", STATUS="UPDATE" 2020-08-27 08:04:12.000, ID="20", STATUS="UPDATE" 2020-08-27 08:04:30.000, ID="20", STATUS="POST" 2020-08-27 08:04:46.000, ID="20", STATUS="COMPLETE" 2020-08-27 08:04:56.000, ID="20", STATUS="COMPLETE" Now , What i want to do is calculate the total duration of time a transaction spent in a particular status. So the final results should look something like below - ID STATUS max(_time) duration (sec) 20 CREATE 2020-08-27 08:00:40.487 31 20 POST 2020-08-27 08:02:24.265 155 20 REPAIR 2020-08-27 08:03:46.529 10 20 PENDING 2020-08-27 08:03:56.097 4 20 UPDATE 2020-08-27 08:04:12.715 30 20 POST 2020-08-27 08:04:30.366 16 20 COMPLETE 2020-08-27 08:04:56.517 As of now, with below query I am able to map the status according to time but the duration is not being calculated accurately. Can someone please help me figure this out. my search ... | sort 0 _time | streamstats current=false last(STATUS) as newstatus by ID | reverse | streamstats current=false last(_time) as next_time by ID | eval duration=next_time-_time | reverse | streamstats count(eval(STATUS!=newstatus)) as order BY ID | stats max(_time) as _time, sum(duration) as "duration(sec)" BY ID order STATUS Thanks in advance.
... View more
Labels
- Labels:
-
correlation search
08-30-2020
02:49 AM
@niketnilay Thanks a lot for documenting it once again, this was something i was looking for . Just one more question though - how do i sort the statuses by count ?
... View more
08-28-2020
01:08 AM
Hello, I have very basic query which is giving me the desired results and visualization but even after lot of researching what I am not able to do is color the bars according to the field values. Below is something what my query looks like - my search ...| chart count by status now this status fields has around 15-20 status values like complete,pending, repair, canceled, posted,etc, etc.. so as of now my Bar chart has Status field on X-axis with the field values name mapped to it like complete, cancelled,etc and my Y -axis has the count of those statuses. Now what i want is to keep the visualization as it is and change colors of few statuses like green for Complete, red for canceled, amber for repair and so on. I tried charting.fieldColors">{"COMPLETE":#32a838,"CANCELED":#e81324,"REPAIR":#FFC200} but is not helping. I also tried to transposing rows to column with which i am able to change the colors but then the mapping of field values onto to the Y-axis is being removed and converted to legends, which is not looking good. Can this be achieved by keeping my current visualization intact ? I have gone through multiple pages here on Splunk Answers but no luck. Thanks in advance.
... View more
Labels
- Labels:
-
chart
-
panel
-
simple XML
08-07-2020
05:52 AM
Hi @rwardwell , Have you had any luck in achieving this ? If yes, then can you please share your inputs as I am struggling with the same.
... View more
07-10-2020
05:06 AM
@bowesmana perfect ..Thanks!
... View more
07-08-2020
11:09 PM
Hi @bowesmana , this seems to be doing the trick but i am unable to filter events by any of that extracted fields. So for Example - i want to get event which are in STOP state, but when i tried executing below query it didn't returned any results ....|table LM GRP SR ID STATE SDL QUEUE SK FAIL | where STATE=STOP
... View more
07-08-2020
05:00 AM
Yes that is correct, but it should not consider that. It should look for all time2 timestamps and map the closest time1 timestamps in line with that time2 timestamps . So in the above example you can see that time2 field has only one timestamp entry i.e. - 07/07/2020 08:30:10 so this entry should be mapped against the latest near by timestamp in time1 field which would be 07/07/2020 08:27:19 and as of now it is showing against 07/07/2020 07:11:06 in time1 field, which is not correct. So say if i add one more timestamp entry in time2 field of 07/07/2020 07:18:25 in above example ,so this entry should be mapped against the timestamp of 07/07/2020 07:15:05 in time1 field as it is the latest near by timestamp for the added timestamp in time2 field. So now the result should look something like name time1 time2 url1 07/07/2020 07:15:05 07/07/2020 07:18:25 07/07/2020 08:27:19 07/07/2020 08:30:10 Actually there is no specific formula to it, just trying to figure out how to build the logic to get the desired result.
... View more
07-07-2020
12:03 AM
Hi @to4kawa , Thank you for your response In the given query i am getting only min and max time results for time1 field i.e. it will consider only two entries in time1 field while matching the time2 field which should not be the case as there can be multiple entries. Also i cannot group my results by time2 field as this is coming from other search. Basically there are two searches which I am using ,one returns 'time1' field and other returns 'time2' field and both searches have common 'name' field. So basically what i want is, once the results are returned, the time2 field should match the latest timestamp in time1 field before calculating the duration. So for example - say 'time1' fields have returned below five timestamps in results and 'time2' fields has returned just one timestamp(can also be more), so currently my result in splunk will look something like name time1 time2 url1 07/07/2020 07:11:06 07/07/2020 08:30:10 07/07/2020 07:15:05 07/07/2020 08:20:10 07/07/2020 08:27:19 07/07/2020 09:11:05 What i would like to have is just the latest timestamp match of time1 field next to time2 field - name time1 time2 url1 07/07/2020 08:27:19 07/07/2020 08:30:10
... View more
07-06-2020
11:02 PM
Hi , I have following data coming into splunk in one event and i want these event to be formatted in proper splunk table. 200 - OK -------------------------------------------------------------------------------------------- - | LM | GRP | SR | ID | STATE | SDL | QUEUE | SK | FAIL | |------------------------------------------------------------------------------------------ - | | gpp1 | GROUP | hv | 231 | START | -- - | HV | 15272 | 1 | | gpp2 | GROUP | hv | 233 | START | -- - | HV | 15226 | 2 | | gpp2 | GROUP | hv | 234 | START | -- - | HV | 11546 | 2 | | gpp1 | GROUP | hq | 240 | STOP | -- - | | 0 | 1 | | gpp2 | GROUP | hq | 242 | START | -- - | | 0 | 1 | So i want to create fields with above table headers like LM,GRP,ID,STATE,etc. and these fields should consist all the values present underneath it I tried extracting the fields and also used multikv command but no luck.
... View more
Labels
- Labels:
-
field extraction
07-03-2020
03:47 AM
@to4kawa if possible , can you also please take a look at https://community.splunk.com/t5/Splunk-Search/How-to-compare-and-match-timestamp-of-one-field-with-the-latest/td-p/506306 Thanks in advance.
... View more
07-03-2020
01:37 AM
Thank You for the suggestion @to4kawa but it wont work in my case as the index names are different in some cases.
... View more
07-03-2020
01:06 AM
@surekhasplunk if you're asking if some file is created in Splunk environment before indexing the events coming over HEC, then that's not the case as i believe HTTP events directly gets indexed to the specified index name in the input stanza.
... View more
06-29-2020
05:07 AM
Hi to4kawa, It will be difficult for me to provide you the sample logs but below query might give you an idea of how the logs are - Basically there are four searches which i am using to formulate this results |index=foo "ID created" | eval time=_time | eval status1="CREATED" | table ID status1 time |append [search index=foo "Change ID Status into" |eval time=_time | convert ctime(time) |table ID1 status time] | append [search index=foo UpdateMsgStatus COMPLETE | eval time=_time | table ID statusc time | rename time as Completed_time | convert ctime(Completed_time)] | append [search index=foo ID = '*', MSG_STATUS = 'COMPLETE', | eval time=_time | table id msg_status time | rename time as complete_time | convert ctime(complete_time)] | eval time=coalesce(time,complete_time,Completed_time) | eval ID=coalesce(ID,ID1,id) | eval status=coalesce(status,status1,statusc,msg_status) | table ID status time So in this, 2nd search will have all the statuses except the ID created one, but the Complete status might be logged in any of the last 3 searches and in some cases it is logged in all three with different timestamps or may be two of them ,so I want it to be logged only once in the results irrespective of its repetition i.e the first entry which is found for status Complete for that particular ID
... View more
06-28-2020
11:44 PM
Thank You @to4kawa , this seems to be working fine. I was wondering, if is there a way to dedup just one value from the status field ? For e.g. - status like Repair, POST can be repeated multiple time and that is fine, as i want that repetition to be shown in timeline but in some case 'Complete' can also be updated multiple times as it sends complete messages through different strings, but i don't want this repetition. So can i dedup the status with just one value and not the entire field ?
... View more
06-28-2020
11:26 PM
These timestamps are coming from two different searches which i am later grouping them by one common field. Basically it is like - my search .. |table name time1 |append[search ... table name time2] stats list(time1) as time1 list(time2) as time2 by name So in my first search, I am reading a log file which appends timestamp every time the HTTP service is restarted through our set script. and my second search is coming from the HTTP monitoring set, which is giving me the time when the URL was down. Now from my second search ,I also can get the time of when the URl came up but I wont be sure if it came up through set script or any other way. So time1 field will update the timestamp every time when the http service goes down, but time2 field will only be updated if the script was triggered. So basically what i want is that, whenever the time2 field is updated, it should have exact corresponding timestamp in time1 field which would be nothing but the latest timestamp match of time1 field as compare to time2 field. For e.g - let us consider in last 24 hour our url went down multiple times but only twice it came up by our script. So currently from my search results will be just sorted according to time like - name time1 time2 url1 10am 11:08 11 17:05 13 14 17 What i want is something like - name time1 time2 url1 11 11:08 17 17:05
... View more
Contact Me
Karma given to
