×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
yahoohunk
Explorer
Member since: ‎03-11-2015
‎06-05-2020
Community Statistics
Posts 5
Solutions 1
Karma Given 2
Karma Received 0
Member Since ‎03-11-2015
Activity Feed
View All

Re: How do we count the fields inside a JSON array...

by in Splunk Search
‎04-11-2016 10:51 AM
‎04-11-2016 10:51 AM
Thanks for the suggestion martin_mueller. We got what we wanted by using the following. index="test_index" | spath input=log | regex templateId = "10|15" | stats count(eval(source == "mail")) AS COUNT by id,messages{} ... View more

How do we count the fields inside a JSON array?

by in Splunk Search
‎04-08-2016 04:02 PM
‎04-08-2016 04:02 PM
Each log entry contains some json. There is a field that is an array. I want to count the items in that array. Example json data { "field1": "sample", "messages": [ "noop", "missing", "error", "unknown" ] } We've tried index="test_index" | spath input=log | regex id = "a|b" | stats count(messages) Our desired output is something like: id message count a noop 5 a error 8 ... View more

Re: vix.input.1.et.regex - Log directory only cont...

by in Getting Data In
‎07-10-2015 05:08 PM
‎07-10-2015 05:08 PM
The directory and file looks like the following in HDFS. /projects/test/test_logs/api/2015/07/07/api_server.log.2015-07-07.gz A line in the log looks like [Thu Jul 09 02:03:02 2015] [error] [client 127.0.0.1] log={"messages": "test"} Ran the search index="api" Smart Mode Used the "Date Range" option with Between "07/07/2015" and "07/07/2015". Time Column Results 7/7/15 12:00:15.000 AM Event Column Results [Tue Jul 07 00:00:15 2015] [error] log={"messages": "test"} 29,000 events In the results listings, I don't see anything beyond 00:00 Used the "Date Range" option with Between "07/07/2015" and "07/08/2015". Time Column Results 7/7/15 12:00:15.000 AM Event Column Results [Tue Jul 07 00:00:15 2015] [error] log={"messages": "test"} 76,000,000 events In the results listings, I don't see anything beyond 00:00 Question: It says 76 mil events matched, but results list only hour 0. ... View more

Re: vix.input.1.et.regex - Log directory only cont...

by in Getting Data In
‎07-10-2015 03:42 PM
‎07-10-2015 03:42 PM
I have not configured the timestamp recognition. Will try that and the timezone and see if it works. ... View more

vix.input.1.et.regex - Log directory only contains...

by in Getting Data In
‎07-09-2015 04:38 PM
‎07-09-2015 04:38 PM
When I perform a query "index=api" with date range for example 07/07/2015 - 07/07/2015, I only get results within the first second of midnight on 07/07/2015. But if I perform the same query with date range 07/07/2015 - 07/08/2015, I get more results from the 07/07/2015 day. It includes more than just midnight. Does not having hours and minutes in the directory affect the search? In Splunk, using the 07/07/2015-07/07/2015 gets me all results of that day. My HDFS logs are partitioned by year/month/day. virtual index [api] vix.provider = testprovider vix.input.1.path = /projects/test/test_logs/api/... vix.input.1.accept = . vix.input.1.et.regex = /projects/test/test_logs/.+/(\d\d\d\d)/(\d\d)/(\d\d)/.+ vix.input.1.et.format = yyyyMMdd vix.input.1.et.offset = 0 vix.input.1.lt.regex = /projects/test/test_logs/.+/(\d\d\d\d)/(\d\d)/(\d\d)/.+ vix.input.1.lt.format = yyyyMMdd vix.input.1.lt.offset = 86400 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All