Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About shashank_24
shashank_24
Path Finder
Member since:
06-12-2020
07-19-2023
Community Statistics
| Posts | 76 |
| Solutions | 0 |
| Karma Given | 17 |
| Karma Received | 1 |
| Member Since | 06-12-2020 |
Activity Feed
- Posted How extract data from SOAP request? on Splunk Enterprise. 11-03-2022 04:55 PM
- Posted How to plot a graph with field having duplicate values on Splunk Search. 09-22-2022 03:58 AM
- Posted Re: How to create an alert on traffic drop Deviation? on Splunk Enterprise. 09-06-2022 01:46 AM
- Karma Re: Alert on traffic drop Deviation for ITWhisperer. 09-06-2022 01:45 AM
- Posted How to create an alert on traffic drop Deviation? on Splunk Enterprise. 09-05-2022 04:22 AM
- Posted Re: Create Alert based on consistent results on Alerting. 05-13-2022 06:07 AM
- Posted How to create consistent monitoring and alerts based on high response time of my landing page? on Alerting. 05-13-2022 04:41 AM
- Posted How to create an alert that Detects anomalies or outliers in Splunk? on Splunk Enterprise. 05-10-2022 04:47 PM
- Tagged How to create an alert that Detects anomalies or outliers in Splunk? on Splunk Enterprise. 05-10-2022 04:47 PM
- Posted How to create Alert trigger for only when there is consistent failure rates on Splunk Enterprise. 04-20-2022 03:19 AM
- Posted How to extract using Browser Version from useragent on Splunk Enterprise. 02-13-2022 03:15 PM
- Posted Re: Trigger Alert and avoid false p[positives on Splunk Enterprise. 02-05-2022 04:24 PM
- Posted Re: Trigger Alert and avoid false p[positives on Splunk Enterprise. 02-04-2022 04:23 PM
- Karma Re: Trigger Alert and avoid false p[positives for impurush. 02-04-2022 04:16 PM
- Posted Trigger Alert and avoid false p[positives on Splunk Enterprise. 02-04-2022 02:16 AM
- Posted Re: Extract browser type and device from User agent on Splunk Search. 12-07-2021 01:58 AM
- Posted Re: Extract browser type and device from User agent on Splunk Search. 12-06-2021 05:14 AM
- Karma Re: Extract browser type and device from User agent for richgalloway. 12-06-2021 05:12 AM
- Posted Extract browser type and device from User agent on Splunk Search. 12-05-2021 11:23 AM
- Karma Re: Splunk integration with OpsGenie for scelikok. 12-05-2021 11:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-08-2021
05:35 PM
Hi, I have a weird requirement where I have to count the distinct values of a multi value field. So I have a xml where a particular node can appear one time or multiple times and there are many nodes like this. How do i count the distinct number of nodes using a request ID? Basically I am looking something like this - request ID nodes Count 12345 networkpremise networkdetails mysubscription 2 3 2 3456778 networkpremise networkdetails mysubscription 6 2 4 And so on.. Not exactly like above but if there are some other interpretations which can give a better view please let me know. I've looked into some of the posts like this but the solution has not worked for me https://community.splunk.com/t5/Splunk-Search/Can-I-get-a-count-of-distinct-values-in-multivalue-field/m-p/59488 Let me know if someone can help on this. This is my query which I was trying to do from the above referebnc index=test_prod MyServiceGateway "SoapMessage Incoming"
| rex field=_raw "\<(?<nodes>[^\>]+)\>\s+?\<action\>" max_match=0
| rex field=_raw "\>(?<requestID>[^\<]+)\<\/ns:requestID>" max_match=0
| table requestID nodes
| untable requestID field value
| makemv delim="," value
| mvexpand value
| stats count by requestID field value
| eval pair=value." (".count.")"
| stats list(pair) as values by requestID field
... View more
Labels
03-05-2021
07:29 AM
Thanks @richgalloway. That almost solved my purpose. Just one more thing - So right now my alert trigger condition is like this - I should have mentioned in the question Sorry. | where (status=500 AND count > 50) OR (status=503 AND count > 30) OR (status=502 AND count > 30) So is it possible to count the total individually by status and then trigger the alert?
... View more
03-05-2021
06:59 AM
Hi, I am working an setting up a alert where I need to count if there have been more than 50 count of errors in last 30 minutes. And if there is then I need to send the alert with those pages and count. Something like below requested_content Status Count /my-app/1.html 500 20 /my-app/2.html 500 40 60 Now the alert should only trigger if the sum of these counts > 50 like above. I have written a query but it only gives the count and not the pages which are throwing the error. I want to see the pages too index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50*
| stats count by status
| where count > 50 Can someone able to advice on this how to achieve this? I want the alert to be triggered and it should output the tabular format with pages and it's count with total count > 50
... View more
Labels
- Labels:
-
metrics
-
using Splunk Enterprise
01-27-2021
10:29 AM
Hi, I am working on a query to write an alert where i need to monitor few pages for 500 Errors. Now currently there are some investigations going on to fix those errors so we usually get few every 30 minutes. So basically at the moment not every 5xx is a problem and I know it's hard for us to see, which of those are "real problems" and which not. What I want to do is something like adjust our thresholds in the Splunk search so that it only recognise peaks, which are surely something "going wrong" and then trigger the alert. I have a alert like this at the moment which is triggered every 30 minutes. index=myindex sourcetype=ssl_access_combined requested_content="/myapp*" NOT images status=50*
| stats count by status
| where (status=500 AND count > 10) Right now it gets triggered when the count of 500 error is 10 in last 30 minutes but I don't want that as it is unnecessary flooding the mailbox. Is there a way to achieve what I am required here please?
... View more
01-24-2021
03:43 PM
Hi, I am working on a query where I need to calculate the average of 99th percentile values over a 5 minute period of time for last 24 hours by serviceName. serviceName is nothing but the web service called by consumer and i am looking to have the response time of some services. Below is my query - index=myapp_prod sourcetype=service_log serviceName=service1 OR serviceName=service2 OR serviceName=service3
| eval responseTime= responseTime/1000000
| timechart span=5m p99(responseTime) as 99thPercentile by serviceName useother=false which gives a table like this - _time service1 service2 service3 00:05 1.2 0.8 2.4 00:10 1.7 0.34 2.8 00:15 1.5 1.2 3.4 What i want is calculate the average of these and put it in another table. Something like this - serviceName responseTime service1 1.37 service2 0.4 service3 2.1 Hope someone can help.
... View more
12-11-2020
07:36 AM
@to4kawa No just the clientip. Sample event below - 81.96.207.94 - - [10/Dec/2020:23:24:25 +0000] "GET /checkout/success HTTP/1.1" 200 4965 122326 "https://www.myapp.com/join/checkout" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
... View more
12-10-2020
04:05 PM
Hi, I've a weird requirement from one of my stakeholders. So I have this sales application which contains many flows starting with landing page till checkout. All these pages count and their response time is being logged in my access logs. There is no session ID available in the logs because of reverse proxy and only clientip is available. What I want to find out is How much time a journey took for a customer If there was any time delay during the flow where it was exactly at what page My sales application pages look like this - Landing page - /products select installation type - /installation direct-debit page - /direct-debit credit check page - /credit-check review basket - /review successful checkout - /checkout/success I have this base query where i was trying to attempt something but don't know where to start. Let me know if anyone can guide me on this. It will be highly appreciated. index=myapp_prod sourcetype=ssl_access_combined Method=GET requested_content="/products" OR requested_content="/installation" OR requested_content="/direct-debit" OR requested_content="/credit-check" OR requested_content="/review" OR requested_content="/checkout/success"
| stats count(eval(requested_content LIKE "/products")) as "landing-page" .
... View more
Labels
- Labels:
-
using Splunk Enterprise
09-18-2020
08:47 AM
@ITWhisperer Something like this. This is just the count and eventually I would to calculate the percentage which could be easy once i get the count like below _time my-offer-dropoff direct-debit-dropoff credit-check-dropoff review-basket-dropoff confirm-order-dropoff 2020-09-17 08:00 100 50 40 40 30
... View more
09-18-2020
04:17 AM
@ITWhisperer yes that's correct. So for example if let's say in an hour from 8-9, 100 customer landed on page /my-offer, 50 of them moved ahead and accepted the offer and filled the direct-debit details /direct-debit, 30 of them moved to /confirm-order page etc.
... View more
09-18-2020
01:37 AM
@ITWhisperer Thanks for your response but this is not working and not what i want actually. I am looking for a table like this - Basically it tells me that on a particular day how much is the drop off rates at given hour on a particular page. As an example on 17th Sept at 08:00, 70% of the customers dropped at the starting page /my-offer, some of them moved to direct-debit but still 50% drop there and then so on. Hope it make sense. _time my-offer-dropoff_perc direct-debit-dropoff_perc credit-check-dropoff_perc review-basket-dropoff_perc confirm-order-dropoff_perc order-complete-dropoff_perc 2020-09-17 08:00 70 50 40 25 20 5 2020-09-17 09:00 2020-09-17 10:00 @ITWhisperer @richgalloway @to4kawa
... View more
09-17-2020
09:06 AM
@thambisetty Ok it make sense. So even if i want to just exclude the time from 02:00 to 02:30 then also I would have to create multiple crons/searches. Right?
... View more
09-17-2020
04:42 AM
@ITWhisperer Hey I have edited the question. Could you kindly refer it to once again. It will give a better view of what I want. Actually I only want to calculate it for specific journey and the only common field between those pages is uniqueId.
... View more
09-17-2020
04:02 AM
Hi, I am working on a query in Splunk to calculate the drop off rate and percentage of the customer journey drop outs. When customer comes to purchase an order it goes via different pages and I want to calculate where actually most of the customers are dropping off. Journey Pages - /checkout/my-offer -> /checkout/your-details -> /checkout/direct-debit-> /checkout/creditcheck -> /checkout/review-basket -> /checkout/confirm-order -> /checkout/order complete index=test_prod sourcetype=access_combined_wcookie req_content=/checkout/your-details OR req_content=/checkout/direct-debit OR req_content=/checkout/creditcheck OR req_content=/checkout/review-basket OR req_content=/checkout/confirm-order OR req_content=/checkout/order complete
| timechart span=1h count The problem is I only want to calculate the drop outs for a specific journey which starts with this page and all other pages like /checkout/your-details can come in other journeys as well. the only link between the pages for the journey is a field called uniqueId Is it possible to calculate the percentage of drop outs during this journey?
... View more
09-17-2020
03:15 AM
Hi, I have an alert which runs every 15 minutes as of now but what i want is to NOT trigger from 1:30 AM to 2:30 AM everyday. That's the time when my server cache gets flushed and the spike in the response time is usual. So I don't want to trigger the alert at this time. Due to this we are getting false alarms. How do i achieve this. My query is - index=test sourcetype=access_combined_wcookie POST requested_content=/checkout/your-order*
| timechart span=15m avg(response_time_sec) as AvgResponseTime by host
| eval AvgResponseTime=round(AvgResponseTime,3)
... View more
Labels
- Labels:
-
alert action
-
alert condition
09-08-2020
06:35 AM
@thambisetty Thank you. after some modification to the query as per my need, I was able to get the relevant data. I will accept this answer. Thanks again.
... View more
09-08-2020
03:23 AM
@ITWhisperer I have edited the question and posted some sample events. This may help you to visualise what i need to do. Let me know if you could help.
... View more
09-08-2020
03:23 AM
@ITWhisperer @thambisetty I have edited the question and posted some sample events. This may help you to visualise what i need to do. Let me know if you could help.
... View more
09-08-2020
03:00 AM
@thambisetty Thanks for your response but that is the problem. I can't use join command because of the sub-search limitation. I get this error "Subsearch produced 50000 results, truncating to maxout 50000" So I have to use either stats or transaction command to join the queries.
... View more
09-08-2020
02:56 AM
@ITWhisperer It's not working. It is counting the other event as well which is giving me incorrect stats. I only want the count of this events but the other event is just to get the count only from clientId=web. Really struggling to get the correct stats (source="server.log" "In processPasswordCredential" "found and success")
... View more
09-08-2020
01:12 AM
@thambisetty Hi, I want a table like this - Time Count 2020-09-08 17:00 9878 2020-09-07 14:00 4567 2020-09-06 12:00 2345 Total successful count with time in hours. Basically how many successful logins are happening in an hour for let's say last 30 days.
... View more
09-07-2020
05:40 AM
@thambisetty Well I havr thought of this but this will give me count of 1st event as well which is not right. isn't it? I only want the count of 2nd event which says "found and success". The reason I am joining 2 events because I am not getting clientId field in the 2nd event and I only want the count for clientId=web
... View more
09-07-2020
05:37 AM
@ITWhisperer That's because I only need the data for clientId=web. There are other clientId's as well like mobile app and other. I don't want their count. What i want is successful attempts from clientId web. And in the 2nd event I don't get clientId field so I have to join 2 events.
... View more
09-07-2020
05:18 AM
Hi, I am stuck at a query problem. So what i need to do is join 2 events and get the hourly stats and peak hour successful login attempts. The sample events are - 2020-09-07 23:59:59,641 trackingid="id:638rdchdfe7vhs" event=AUTHN_ATTEMPT subject="" ip=8.2.8.44 app= clientId=WEB protocol="" role=IdP status=inprogress attributes="" description="" responsetime=39 messagetype="Request"
2020-09-07 23:59:59,641 trackingid="id:ljsdhff76duhj" event=AUTHN_ATTEMPT subject="" ip=8.2.8.24 app= clientId=MOBAPP protocol="" role=IdP status=inprogress attributes="" description="" responsetime=39 messagetype="Request"
2020-09-07 23:59:59,641 trackingid="id:8675hbcdksjdfub" event=AUTHN_ATTEMPT subject="" ip=8.6.8.24 app= clientId=SKYAPP protocol="" role=IdP status=inprogress attributes="" description="" responsetime=39 messagetype="Request" as you can see the status right now is "inprogress" and different clientId's (WEB, MOBAPP, SKYAPP) and once customer logs in successfully the below event is logged. 2020-09-07 23:59:46,772 tid:638rdchdfe7vhs INFO [org.class.MediaCredentialValidator] in processPasswordCredential VERIFIED user=test@gmail.com found and success I want to calculate the hourly volume of successful logins from clientId=WEB The common field in the events is id which i am extracting and what is want is a table with _time and count column on hourly basis. Query - index=test (sourcetype=splunk_log event=AUTHN_ATTEMPT clientId=web status=inprogress) OR (source="server.log" "In processPasswordCredential" "found and success")
| rex field=_raw "sessionid\=\"id\:(?<id>[^\"]+)"
| stats count by tid Let me know if someone can advice on this. @richgalloway @gcusello
... View more
Labels
- Labels:
-
using Splunk Enterprise
09-03-2020
06:24 AM
@ITWhisperer Thank you for this brilliant suggestion. I tried this and it worked by using fullnull and left join. @richgalloway Thank you for the query. Stats also worked. I will actually need it when i run it for longer period as for that the sub-search won't work due to limitation. So Both of you are stars and saved my day 🙂
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-19-2023
07:51 AM
|
Karma given to
