Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Dharani
Dharani
Path Finder
Member since:
01-20-2021
06-24-2024
Community Statistics
| Posts | 26 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 01-20-2021 |
Activity Feed
- Karma Re: fetch todays filename and check with last 30 days filename for splunk alert for P_vandereerden. 06-24-2024 05:01 AM
- Karma Re: fetch todays filename and check with last 30 days filename for splunk alert for P_vandereerden. 06-24-2024 05:01 AM
- Karma Re: fetch todays filename and check with last 30 days filename for splunk alert for P_vandereerden. 06-24-2024 05:01 AM
- Posted Re: fetch todays filename and check with last 30 days filename for splunk alert on Splunk Search. 06-24-2024 05:00 AM
- Posted Re: fetch todays filename and check with last 30 days filename for splunk alert on Splunk Search. 06-14-2024 03:16 AM
- Posted fetch todays filename and check with last 30 days filename for splunk alert on Splunk Search. 06-13-2024 01:20 AM
- Tagged fetch todays filename and check with last 30 days filename for splunk alert on Splunk Search. 06-13-2024 01:20 AM
- Tagged fetch todays filename and check with last 30 days filename for splunk alert on Splunk Search. 06-13-2024 01:20 AM
- Posted Re: Partially eliminate error message in Splunk query on Splunk Search. 12-15-2023 01:55 AM
- Posted Re: Partially eliminate error message in Splunk query on Splunk Search. 12-14-2023 11:40 PM
- Tagged Re: Partially eliminate error message in Splunk query on Splunk Search. 12-14-2023 11:40 PM
- Posted Partially eliminate error message in Splunk query on Splunk Search. 12-14-2023 12:54 AM
- Posted Splunk Alert set up based on first occurrence of error on Splunk Search. 12-04-2023 11:17 PM
- Posted Re: Join 2 searches which has common fields as 2 different field name with same value on Splunk Search. 11-14-2023 11:06 PM
- Posted Join 2 searches which has common fields as 2 different field name with same value on Splunk Search. 11-08-2023 10:22 AM
- Posted Re: Pie chart for 2 fields on Splunk Search. 04-04-2023 03:57 AM
- Karma Re: Pie chart for 2 fields for yuanliu. 04-04-2023 03:56 AM
- Posted Re: Pie chart for 2 fields on Splunk Search. 04-03-2023 11:08 PM
- Posted How to create pie chart for two fields? on Splunk Search. 04-03-2023 06:31 AM
- Posted How to join query with condition and comparison? on Splunk Search. 01-20-2023 05:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-24-2024
05:00 AM
Thank you so much Join worked as expected !
... View more
06-14-2024
03:16 AM
Hi, Thank you so much for the suggestion. Is it possible to achieve this by splunk search? since it is expected to be a simple alert configuration due to access limitation. Please share if you have any suggestions with splunk query which will greatly help !
... View more
06-13-2024
01:20 AM
Hi,
I want to create alert based on file received. Everyday at randomly we used to receive files.
ex. file name: file_20240613_1222_100.xml
Here I can extract Date:20240613 and CompanyId: 1222
I need create alert which should run for every 30 mins to check if any file arrived. If any file detected it should check both 'Date' and 'CompanyId' with last 30 days files received. If suppose there is any filename in last 30 days with same 'Date' and 'CompanyId' in the filename then it should trigger any email alert.
Base search:
index=wealth
| search transform-file
| search ace_message
| rex field=_raw "inputFileName: (?<inputFileName>.*?),"
| rex field=_raw "outputFileName: (?<outputFileName>.*?),"
| rex field=inputFileName "file\_\d+\_(?<CompanyId>\d+)\_"
| rex field=inputFileName "file\_(?<Date>\d+)\_"
| table inputFileName,outputFileName, CompanyId, Date
This will search for last 30 mins and see if any new file arrived , but I am not sure how to check the same fields for last 30 days filename.
Can someone help !
... View more
Labels
- Labels:
-
eval
-
field extraction
-
fields
-
subsearch
12-15-2023
01:55 AM
Yes , sorry for the typo. 3rd logs has different requestId. I mistakenly pasted the same requestId.
... View more
12-14-2023
11:40 PM
sample logs: 1.IBroker call failed, sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT responseStatus=422 response={"ErrorCode":0,"UserMessage":null,"DeveloperMessage":null,"DocumentationUrl":null,"LogId":null,"ValidationErrors":"Invalid product ","Parameters":null} 2. sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT responseStatus=422 ErrorMessage: unprocessable 3.sessionId=855762c0-9a6b, requestId=bc819b42-6646, request=PUT responseStatus=422 ErrorMessage: unprocessable 1st 2 logs should be eliminated because they share same requestId, 3 rd logs should be shown.
... View more
- Tags:
- saml
12-14-2023
12:54 AM
Hi, below are the log details. index=ABC sourcetype=logging_0 Below are the values of "ErrorMessages" field: invalid - 5 count unprocessable - 7 count (5 invalid pair + 2 others) no user foundv- 3 count invalid message process - 3 count process failed- 3 count Now I have to eliminate ErrorMessage=invalid and ErrorMessage=unprocessable. Then show all other ErrorMessage. But the problem here is , "unprocessable" ErrorMessage will show for other messages as well. so we cannot fully eliminate the "unprocessable" ErrorMessage. Whenever "Invalid" ErrorMessage is logging that time "unprocessable" ErrorMessage also will be logged. So we need to eliminate this pair only. Not every "unprocessable" ErrorMessage. Expected result: unprocessable - 2 count no user foundv- 3 count invalid message process - 3 count process failed- 3 count I tried with join using requestId but its not resulting anything because i am using | search ErrorMessage="Invalid" and elimated this in next query so its not searching for other ErrorMessages. Can someone please help.
... View more
12-04-2023
11:17 PM
Hi, I want to schedule one splunk alert , please let me know if below option is possible: When the first alert received for xxx error then query should check if this is the first occurance of an error in last 24 hours if yes then Alert email can be triggered If the error is not first occurance then may be based on threshold we should only send one email for more than 15 failures in an hour or so. 2nd point is basically set up splunk alert for xxx error , threshold: trigger when count>15 in last 1 hour. 1st point is for , when 1st occurrence of error came , it will not wait for count>15 and 1 hr , it will immediately trigger an email. Please help on this.
... View more
11-14-2023
11:06 PM
Hi, It's not working. It results all the logs for sourcetype=accesslogs. But our aim is to join the 2 sourcetypes to get userId for failure logs
... View more
11-08-2023
10:22 AM
Hi, My main goal is to find user id. Index=A sourcetype=signlogs outcome=failure The above search has a field name called processId but it doesn't have the userId which I needed. Index=A sourcetype=accesslogs -->This search has a SignatureProcessId( which is same as processId in the search1) and also it has userId. So I need to join these 2 query with common field as processId/SignatureProcessId I tried the below query but it results 0 events: Index=A sourcetype=signlogs outcome=failure | dedup processId | rename processId as SignatureProcessId | join type=inner SignatureProcessId [Index=A sourcetype=accesslogs | dedup SignatureProcessId ] | Table _time, SignatureProcessId, userId Someone please help with fixing this query.
... View more
04-03-2023
11:08 PM
Hi, Thanks for this , but only having VERB in pie chart will not help for my case. Is there any possibility to join VERB and OBJECT to a single field and make that field in chart command. Example, VERB=get OBJECT=customer status new_field="get customer status" IN query: chart count by new_field. Please let me know if this is possible. Thanks!
... View more
04-03-2023
06:31 AM
Hi,
I have service name verb, object and outcome. I need to show the statistics in pie chart.
For example,
index=abc (SUBJECT="Access" AND OBJECT="status" AND VERB="Get") OR (SUBJECT="Customer Service" AND VERB=Get AND OBJECT="Customer status") OR (SUBJECT="Agreement service" AND OBJECT="attachments" AND VERB="Create") | search OUTCOME=FAILURE | chart count by VERB,OBJECT
Results:
VERB Customer status attachments
Get 3 0
Create 0 2
What I am looking for is to show that 2 failures for create attachments and 3 failures for get customer status in Pie Chart format. But above query is not working like that , it is only showing one field in the pie chart which is not use ful.
Please help on this.
Thanks in Advance.
... View more
Labels
- Labels:
-
chart
-
field extraction
-
fields
-
stats
01-20-2023
05:32 AM
Hi,
I need to show error messages for one particular service. But the challenge here is that for example ,
I need to show error messages including "withdrawal failed" error. But if this error happened because of "insufficient balance" then this withdrawal failed should not be listed. Other error messages should be listed anyway.
e.g query:
index=abc sourcetype=payment log_level=Error |table message.
Result would be like:
withdrawal failed deposit failed Error 404 customer not found
But i want something like,
index=abc sourcetype=payment log_level=Error and | search message="*Withdrawal failed*" | join type=inner requestId [search index=abc | search message ="*insufficient balance*"] --> if this part is true then it should not list "Withdrawal failed error"
Results should be like,
deposit failed Error 404 customer not found
Please help me with the search.
Thanks In advance.
... View more
Labels
- Labels:
-
field extraction
-
fields
-
join
-
subsearch
09-07-2022
11:59 PM
Hi,
Below is the example for raw log:
20220906T23:43:58+03:00#0115dummyvalue.com#01110.111.169.11:51868#01110.45.38.135:8111#0110.527#011-#011-#011200#011200#0117180#011603#011GET /wapi/v3/gat/cust HTTP/1.1#0115ocilpapgap11.op.okobank.com
20220906T23:43:58+03:00#0115dummyvalue.com#01110.111.169.11:51868#01110.45.38.135:8111#0110.527#011-#011-#011200#011200#0117180#011603#011GET /wapi/v3/gat/cust/apis/info/015-000234567 HTTP/1.1#0115dummyvalue.com
20220906T23:43:58+03:00#0115dummyvalue.com#01110.111.169.11:51868#01110.45.38.135:8111#0110.527#011-#011-#011200#011200#0117180#011603#011GET /wapi/v3/gat/015-0000004847/cust/api HTTP/1.1#0115dummy value.com
From the above raw logs I need to extract the below fields:
/wapi/v3/gat/cust
/wapi/v3/gat/cust/apis/info/015-000234567
wapi/v3/gat/015-0000004847/cust/api
and it should be extracted and displayed in table/statistics like below format:
/wmpapi/v3/gat/cust
/wapi/v3/gat/cust/apis/info/{Id}
wapi/v3/gat/{Id}/cust/api
Basically in the fields , it should only take alphapets (including that v3) and we should replace digits to {Id} whereever it exist .
Can someone help me on this.
Thanks!
... View more
Labels
- Labels:
-
field extraction
-
fields
-
stats
-
timechart
06-07-2021
03:49 AM
Hi Splunkers, I have "ABC" index which has billions of data in it. I need to find which "src" is generating large number of events , basically count(src). I have performed the below query for 5 days timeframe, index="ABC" source type="traffic" | stats count by src span=1d But the result is not loading as src generating huge data. Is there any way to find the highest number event generating "src". Thanks in Advance.
... View more
- Tags:
- count
- SPLUNK query
Labels
- Labels:
-
host
-
source
-
sourcetype
02-08-2021
03:31 AM
Hi Splunkers, I have clustered environment. One of indexer got SSL expired. I have created csr and pem file. Bu submitting that csr I got new SSL certificate from my organization. Now I logged in to that indexer , i downloaded the new SSL certificate to the same folder where my pem key is there. went to , etc/system/local and updated the web.conf file as below. [settings] startwebserver = 1 caCertPath = etc/auth/cert/sra-index-01-cert.pem privKeyPath = etc/auth/cert/sra-index-01-PassKey.pem sendStrictTransportSecurityHeader = true enableSplunkWebSSL = true allowSslRenegotiation = false allowSslCompression = false now , I need to verify SSL is properly applied to Splunk server or not. When I logged in web UI, I am not able to see valid certificate date , it is still showing previous expired certificate date. How to verify it or Am I missing anything?
... View more
Labels
- Labels:
-
authentication
-
permissions
-
SSL
-
SSO
01-27-2021
10:44 PM
Hi @tsweet_splunk In this case , Do we need to install this add-on on the Linux hosts also? or pushing this configuration from DS to host is enough? Thanks, Dharani
... View more
01-24-2021
11:41 PM
Hey, I need help on setting up Splunk_TA_nix add-on for multiple hosts. I have a clustered environment. In my deployment server Splunk_TA_nix is installed. The requirement is I need to collect metrices from 10 Linux servers. So , Do I need to install and configure the same in all the 10 servers? or Can we configure in deployment server only to push the configuration to all the servers,,,,, If so how can we configure in DS and push? Its new to me , can anyone please help me on this? Thanks, Dharani
... View more
Labels
01-21-2021
09:52 PM
Hey , I gave it a time. Now I am getting "rewards_qual = the first set of string in _raw log" (EX: rewards_qual=3BAA7FA6DD578008A81A4486A656489C) Not getting all the fields in regex. But the good thing is the old fields are gone now 🙂 Thanks!
... View more
01-21-2021
09:49 PM
Sure. Sample event: 3BAA7FA81A4486A656489C,aksaware,2021-01-22T05:35:51,Curate create(SFDC),opportunityType::TS#savmGroupName::THERMO SCIENTIFIC PRIVATE LTD#opportunityName::RNW_SY Video TeleCraft_TS#opptyOwner::aksaware#lookupBy::true#expectedProspectBookingDate::2021-01-22#sfdcAccountId::0013400001LFlomAAD#partyId::264252765#transactionID::aksaware_20210121213430#,Success,N/A,2021-01-22T05:36:09.285Z,deleteLookUpCurate,aksaware_20210121213430,19,18659
... View more
01-21-2021
05:45 AM
Hi @scelikok , Thank you for your response, I tried this, but not working. Still I am having that old fields, the new ones which we pushed now are not showing off.
... View more
01-21-2021
02:32 AM
Hey folks, I need help on field extraction. I have index=abs, source =123. When I search this in the Splunk, I can see some fields are auto extracted. for example , session=12345, Status=Success,NA,NA. In this case , I tried to create a new field extraction on top of this, but it was not working. I don't want that "Status=Success,NA,NA." I need to separate it as "Status=Success" ", Exception=NA", "SubAPITime=NA". when I tried to create a new field in search level (UI) and Index level(Index Cluster) , it is not working. I hope, we have to first remove the existing fields and then create our new field extraction. Please help me on this one ! props.conf for new field extraction which is not working : [source::123] TRANSFORMS-extract-app_rewards = rewards_qual transforms.conf [rewards_qual] SOURCE_KEY = MetaData:Source REGEX = ^(?P<SessionId>[^,]+),(?P<User>[^,]+),(?P<DateTime>[^,]+),(?P<View>[^,]+),(?P<AppliedFilters>[^,]+),(?P<Status>[^,]+),(?P<Exception>[^,]+),(?P<SubAPITime>[^,]+),(?P<SubAPIName>[^,]+),(?P<TransactionId>[^,]+),(?P<HANATime>[^,]+),(?P<TotalTime>.+) FORMAT = SessionId::$1 User::$2 DateTime::$3 View::$4 AppliedFilters::$5 Status::$6 Exception::$7 SubAPITime::$8 SubAPIName::$1 TransactionId::$1 HANATime::$1 TotalTime::$1 WRITE_META = true I tried with source and source type as well. Thanks, Dharani.
... View more
Labels
01-20-2021
06:40 AM
Hi @scelikok , Thanks for you response, I tried this, but not getting anything. Now I am not able to apply anything (like field extraction , calculated field) on the particular source type. Don't know what could be the issue.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-24-2024
08:21 AM
|
