Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About aditsss
aditsss
Motivator
Member since:
08-16-2020
11-21-2024
Community Statistics
| Posts | 599 |
| Solutions | 0 |
| Karma Given | 118 |
| Karma Received | 7 |
| Member Since | 08-16-2020 |
Activity Feed
- Posted How to fetch the word from logs on Dashboards & Visualizations. 11-21-2024 02:43 AM
- Posted Re: How to fetch a word from logs on Dashboards & Visualizations. 11-18-2024 03:24 AM
- Posted Re: How to fetch a word from logs on Dashboards & Visualizations. 11-18-2024 03:11 AM
- Posted Re: How to fetch a word from logs on Dashboards & Visualizations. 11-13-2024 08:55 PM
- Posted Re: How to fetch a word from logs on Dashboards & Visualizations. 11-13-2024 06:57 AM
- Posted Re: How to sort on multiple values on Dashboards & Visualizations. 11-13-2024 02:42 AM
- Posted Re: How to fetch a word from logs on Dashboards & Visualizations. 11-12-2024 10:25 PM
- Posted Re: How to sort on multiple values on Dashboards & Visualizations. 11-12-2024 07:53 PM
- Posted Re: How to sort on multiple values on Dashboards & Visualizations. 11-12-2024 11:28 AM
- Posted Re: How to sort on multiple values on Dashboards & Visualizations. 11-12-2024 08:42 AM
- Posted Re: How to sort on multiple values on Dashboards & Visualizations. 11-12-2024 07:09 AM
- Posted How to fetch a word from logs on Dashboards & Visualizations. 11-12-2024 07:08 AM
- Posted Re: How to sort on multiple values on Dashboards & Visualizations. 11-12-2024 06:32 AM
- Posted How to sort on multiple values on Dashboards & Visualizations. 11-12-2024 05:42 AM
- Karma Re: how to extract below fields from raw logs for richgalloway. 12-05-2023 07:02 PM
- Karma Re: how to extract below fields from raw logs for gcusello. 12-05-2023 07:02 PM
- Karma Re: how to extract below fields from raw logs for inventsekar. 12-05-2023 07:01 PM
- Posted how to extract below fields from raw logs on Dashboards & Visualizations. 12-01-2023 11:19 AM
- Posted Re: Not getting incident from Splunk on time on Dashboards & Visualizations. 11-29-2023 11:44 PM
- Posted Re: Not getting incident from Splunk on time on Dashboards & Visualizations. 11-28-2023 11:45 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-21-2024
02:43 AM
Hi Team, Can someone guide me how to fetch a word(highlighted ) from below logs AccountMonthendReset - Total number of records reset after monthend:111439411 AccountBalanceMonthendSnapshot - Total number of records in Monthend Cache:111439411 MonthlyCollateralProcessor - compareCollateralStatsData : statisticData: StatisticData [selectedDataSet=0, rejectedDataSet=0, totalOutputRecords=0, totalInputRecords=0, fileSequenceNum=0, fileHeaderBusDt=null, busD t=10/31/2024, fileName=SETTLEMENT_MONTHEND_COLLATERAL_CONSUMER_CHARGE, totalAchCurrOutstBalAmt=4.57373200875E9, totalAchBalLastStmtAmt=4.57373200875E9, total ClosingBal=4.57373200875E9, sourceName=null, version=1, associationStats={}] with collateralSum 4.57373200875E9 openingBal 4.53003366393E9 ageBalTot 4.57373200875E9 busDt 10/31/2024 Can someone please guide how to fetch highlighted words
... View more
11-18-2024
03:24 AM
Hi @ITWhisperer .
PFB search string in code block
index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount
... View more
11-18-2024
03:11 AM
@ITWhisperer I tried below query but still not able to fetch record index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount Please find below raw logs 2024-10-29 20:39:55.900 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 27846 host = lgposput50341.gso.aexp.com source = /amex/app/abs-upstreamer/logs/abs-upstreamer.log sourcetype = 600000304_gg_abs_ipc2
... View more
11-13-2024
08:55 PM
@ITWhisperer , I want to make one table where we have date on one column and counts on other column
... View more
11-13-2024
06:57 AM
Hi @ITWhisperer Raw code 2024-10-29 20:42:43.702 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 38040 host = lgposput50341.gso.aexp.com source = /amex/app/abs-upstreamer/logs/abs-upstreamer.log sourcetype = 600000304_gg_abs_ipc2 my query: index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount
... View more
11-13-2024
02:42 AM
HI @ITWhisperer As you can see in result StartTime is sorted but businedd date is coming as 11/07/2024 in front of that . It is not sorted
... View more
11-12-2024
10:25 PM
@ITWhisperer
I make the below query but my processed count is coming as blank
index="abc" sourcetype=600000304_gg_abs_ipc2 "Total records processed -"
| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount
Raw logs
2024-10-23 20:40:23.658 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 15618
... View more
11-12-2024
07:53 PM
@ITWhisperer please find my below query index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log""StatisticBalancer - statisticData: StatisticData" "CARS.UNB."|rex "totalOutputRecords=(?<totalOutputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>),totalAchBalLastStmtAmt=(?<totalAchBalLastStmtAmt>),totalClosingBal=(?<totalClosingBal>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>)"|eval totalAchCurrOutstBalAmt=tonumber(mvindex(split(totalAchCurrOutstBalAmt,"E"),0)) * pow(10,tonumber(mvindex(split(totalAchCurrOutstBalAmt,"E"),1)))|eval totalAchBalLastStmtAmt=tonumber(mvindex(split(totalAchBalLastStmtAmt,"E"),0)) * pow(10,tonumber(mvindex(split(totalAchBalLastStmtAmt,"E"),1)))|eval totalClosingBal=tonumber(mvindex(split(totalClosingBal,"E"),0)) * pow(10,tonumber(mvindex(split(totalClosingBal,"E"),1)))|table busDt fileName totalAchCurrOutstBalAmt totalAchBalLastStmtAmt totalClosingBal totalRecordsWritten totalRecords|appendcols[search index="600000304_d_gridgain_idx*"sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "CARS\.UNB(CTR)?\.(?<CARS_ID>\w+)" | transaction CARS_ID startswith="Reading Control-File /absin/CARS.UNBCTR." endswith="Completed Settlement file processing, CARS.UNB." |eval StartTime=min(_time)|eval EndTime=StartTime+duration|eval duration_min=floor(duration/60) |rename duration_min as CARS.UNB_Duration| table StartTime EndTime CARS.UNB_Duration]| fieldformat StartTime = strftime(StartTime, "%F %T.%3N")| fieldformat EndTime = strftime(EndTime, "%F %T.%3N")|appendcols[search index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "FileEventCreator - Completed Settlement file processing" "CARS.UNB."|rex "FileEventCreator - Completed Settlement file processing, (?<file>[^ ]*) records processed: (?<records_processed>\d+)"| rename file as Files|rename records_processed as Records| table Files Records]|appendcols[search index="600000304_d_gridgain_idx*" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | head 7 | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True]|rename busDt as Business_Date|rename fileName as File_Name|rename CARS.UNB_Duration as CARS.UNB_Duration(Minutes)|table Business_Date File_Name StartTime EndTime CARS.UNB_Duration(Minutes) Records totalClosingBal totalRecordsWritten totalRecords EBNCStatus | sort 0 'Business_Date' 'StartTime'
... View more
11-12-2024
11:28 AM
@ITWhisperer
I tried the below query
|sort 0 'Business_Date' 'StartTime'
Its sorting only on StartTime not on business date
Could you please suggest
... View more
11-12-2024
08:42 AM
@PickleRick @ITWhisperer when I am putting this sort "Business_Date" "StartTime" Its only sorting on Business_Date and not startTime Could you please suggest
... View more
11-12-2024
07:08 AM
Hi Team, Below is my raw log I want to fetch 38040 from log please guide ArchivalProcessor - Total records processed - 38040
... View more
11-12-2024
05:42 AM
Hi Team, I have below panel query I want to sort on the basis of busdate and start time, But results are not coming correct.Could anyone guide on this Currently its sorting on bus date but no t start time. Please guide index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log""StatisticBalancer - statisticData: StatisticData" "CARS.UNB."|rex "totalOutputRecords=(?<totalOutputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>),totalAchBalLastStmtAmt=(?<totalAchBalLastStmtAmt>),totalClosingBal=(?<totalClosingBal>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>)"|eval totalAchCurrOutstBalAmt=tonumber(mvindex(split(totalAchCurrOutstBalAmt,"E"),0)) * pow(10,tonumber(mvindex(split(totalAchCurrOutstBalAmt,"E"),1)))|eval totalAchBalLastStmtAmt=tonumber(mvindex(split(totalAchBalLastStmtAmt,"E"),0)) * pow(10,tonumber(mvindex(split(totalAchBalLastStmtAmt,"E"),1)))|eval totalClosingBal=tonumber(mvindex(split(totalClosingBal,"E"),0)) * pow(10,tonumber(mvindex(split(totalClosingBal,"E"),1)))|table busDt fileName totalAchCurrOutstBalAmt totalAchBalLastStmtAmt totalClosingBal totalRecordsWritten totalRecords|sort busDt|appendcols[search index="abc"sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "CARS\.UNB(CTR)?\.(?<CARS_ID>\w+)" | transaction CARS_ID startswith="Reading Control-File /absin/CARS.UNBCTR." endswith="Completed Settlement file processing, CARS.UNB." |eval StartTime=min(_time)|eval EndTime=StartTime+duration|eval duration_min=floor(duration/60) |rename duration_min as CARS.UNB_Duration| table StartTime EndTime CARS.UNB_Duration]| fieldformat StartTime = strftime(StartTime, "%F %T.%3N")| fieldformat EndTime = strftime(EndTime, "%F %T.%3N")|appendcols[search index="600000304_d_gridgain_idx*" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "FileEventCreator - Completed Settlement file processing" "CARS.UNB."|rex "FileEventCreator - Completed Settlement file processing, (?<file>[^ ]*) records processed: (?<records_processed>\d+)"| rename file as Files|rename records_processed as Records| table Files Records]|appendcols[search index="600000304_d_gridgain_idx*" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"| head 7 | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True]|rename busDt as Business_Date|rename fileName as File_Name|rename CARS.UNB_Duration as CARS.UNB_Duration(Minutes)|table Business_Date File_Name StartTime EndTime CARS.UNB_Duration(Minutes) Records totalClosingBal totalRecordsWritten totalRecords EBNCStatus
... View more
12-01-2023
11:19 AM
][ERROR][pub-#32738][AssociationRemoteProcessor] Exception while running association: javax.cache.CacheException: class org.apache.ignite.IgniteInterrup [2023-11-09T06:06:02,015][ERROR][pub-#19230][FedPledgingFlaggingRemoteProcessor] No rejection criteria found for the specified key: CO. Hi , Can anyone guide me how to extract the highlighted text.
... View more
11-29-2023
11:44 PM
Hi @bowesmana
This is the event that is occurred: The time the event occurred is 2023-11-30 00:00:33.789
I have set the Cron expression of last 15 minutes and Time Range is last 15 minutes
I am getting incidents and alerts after 30 minutes or sometimes after 45 minutes when the event triggered in splunk.
These is my query:
index= "abc" "pace api iaCode - YYY no valid pace arrangementId as response!!!" OR "pace api iaCode - ZZZ no valid pace arrangementId as response!!!" source!="/var/log/messages" sourcetype=600000304_gg_abs_ipc2| rex "-\s+(?<Exception>.*)" | table Exception source host sourcetype _time
... View more
11-28-2023
11:45 PM
@bowesmana
This is my current query:
index= "abc" "pace api iaCode - YYY no valid pace arrangementId as response!!!" OR "pace api iaCode - ZZZ no valid pace arrangementId as response!!!" source!="/var/log/messages" sourcetype=600000304_gg_abs_ipc1| rex "-\s+(?<Exception>.*)" | table Exception source host sourcetype _time
And My cron schedule is shown as below:
@bowesmana can you please suggest me what changes I need to make in my query and cron to get incidents and email on time
... View more
11-14-2023
11:39 PM
@bowesmana Can you please guide what changes I should made Should I need to change cron schedule expression or I need to make change in my queries Please guide
... View more
11-13-2023
11:12 PM
@bowesmana I have made my window as below: I have taken time Range as Last 15 minutes and set Cron schedule as */15 * * * * Still not getting emails and Incidents on time If the events are getting generated at 12:30 pm IST I want alert should triggered at that time itself via email or via incident. @bowesmana can you please help me what time Range and cron schedule I should set to get alerts on time.
... View more
11-09-2023
01:07 PM
@bowesmana @ITWhisperer Can you please guide on it
... View more
11-08-2023
11:05 PM
@bowesmana I have added what you suggested in my search query as below: index= "abc" "ebnc event did not balanced for filename" sourcetype=600000304_gg_abs_dev source!="/var/log/messages" | rex "-\s+(?<Exception>.*)" |eval index_time=strftime(_indextime, "%F %T.%Q")| table Exception source host sourcetype _time index_time I am getting result as below: @bowesmana could you please guide me what should I change in my alert setting Should I change it from last 15 minutes to something else and also should I change this Cron schedule */5 * * * * I want as soon as the events occurred in Splunk incident should get created at that time only.
... View more
11-08-2023
09:45 AM
Hi Team, I have set alert for below query: index= "abc" "ebnc event did not balanced for filename" sourcetype=600000304_gg_abs_dev source!="/var/log/messages" | rex "-\s+(?<Exception>.*)" | table Exception source host sourcetype _time And I got below result: I have set the alert as below And I have set the incident for it with SAHARA Forwarder but I am getting only 1 incident though the statistics was 6. 6 incidents should get created And also Incidents are coming very late if event triggered at 8:20 incident is coming on 9:16 Can someone guide me on it.
... View more
Labels
- Labels:
-
dashboard
11-05-2023
08:13 AM
Hi Team, Below is my raw logs: 2023-09-29 14:10:05.598 [ERROR] [Thread-3] CollateralFileGenerator - *****************************************FAILURE in sending control file collateral files to ABS Suite!!!***************************************** I want to separate "FAILURE in sending control file collateral files to ABS Suite!!!" as my ERROR message Can someone guide me on this
... View more
11-05-2023
08:11 AM
@gcusello yes its true for both
... View more
11-05-2023
12:04 AM
Hi Team, Below is my query: index= "abc*" sourcetype=600000304_gg_abs_ipc1 OR sourcetype=600000304_gg_abs_ipc2 "Message successfully sent to Cornerstone" source!="/var/log/messages" I am getting result of " sourcetype=600000304_gg_abs_ipc1 I am not getting result of 600000304_gg_abs_ipc2 I need result of both sourcetype in one frame. Can someone help
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-21-2024
10:28 PM
|
Karma given to
