×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
deepuhassan
Explorer
Member since: ‎01-28-2021
‎03-22-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎01-28-2021
Activity Feed
View All

Adding up the count overtime

by in Splunk Search
‎02-26-2021 11:33 PM
‎02-26-2021 11:33 PM
Hi i have a requirement to create a dashboard to represent total events i have created a panel in the dashboard which refreshes for every 5 mins. I need to add the new results to the existing count and show it on screen i tried using streamstats and dashboard seems freezing when it tries to refresh  any help or advise is if great help Thanks Sandeep ... View more
Labels

Cumulative count and adding the events to the resu...

by in Dashboards & Visualizations
‎02-26-2021 08:22 PM
‎02-26-2021 08:22 PM
Hi i have a requirement to create a dashboard to represent total events i have created a panel in the dashboard which refreshes for every 5 mins. I need to add the new results to the existing count and show it on screen i tried using streamstats and dashboard seems freezing when it tries to refresh  any help or advise is if great help Thanks Sandeep ... View more
Labels

Re: Splunk Join Optimisation

by in Splunk Search
‎01-28-2021 07:30 PM
‎01-28-2021 07:30 PM
Thanks for the document. I am not able to optimize the below query : index=server sourcetype="performance"  source="*/performance.log" perf_component_role=kafkaProducer component_name="test-api-v1" event_status=COMPLETE  | eval publishedtime=_time | join app_correlation_id [search index=server component_name="test-api-v2" environment=sit1 "Process updated Successfully !!" | eval processedtime=_time] | eval endToEndTime = (processedtime -publishedtime) | table app_correlation_id publishedtime processedtime endToEndTime ... View more

Re: Splunk Join Optimisation

by in Splunk Search
‎01-28-2021 03:39 PM
‎01-28-2021 03:39 PM
I have tried using the technique you have given me for the below query but it is not working. The below query will be used to calculate the time difference of an event logged in 2 different sources which has common correlation id. Since I am using join it is taking longer time. Basically I am trying to find out the end to end time involved for a message which started from Kafka producer and processed by a consumer. index=server sourcetype="performance"  source="*/performance.log" perf_component_role=kafkaProducer component_name="test-api-v1" event_status=COMPLETE  | eval publishedtime=_time | join app_correlation_id [search index=server component_name="test-api-v2" environment=sit1 "Process updated Successfully !!" | eval processedtime=_time] | eval endToEndTime = (processedtime -publishedtime) | table app_correlation_id publishedtime processedtime endToEndTime ... View more

Re: Splunk Join Optimisation

by in Splunk Search
‎01-28-2021 03:23 PM
‎01-28-2021 03:23 PM
Thanks.. It is partially working. However, would you please explain how the steps you have taken to form the query? What shall I do if the field name used for correlation is same in both the sources?  ... View more

Splunk Join Optimisation

by in Splunk Search
‎01-28-2021 03:43 AM
‎01-28-2021 03:43 AM
Hi, I have the below query which does the search on two different sources in the same index and join the results based app correlation id to get results and perform the stats operation. However, the source files are huge and hence the join is taking too longs to get me the results. index=server sourcetype=perfromance source="*performance.log"  component_role=consumer  | join  app_id [ search index=server sourcetype=component source="*component.log" | rename appCorId as app_id ] | stats count(eval=(process_result="COMPLETED")) as Completed count(eval=(process_result="FAILED")) as Failed This is a simple join but taking huge time when do a search for 24 hours. Please help optimize this query. Thanks, Sandeep     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-22-2021 03:57 PM
Karma given to
View All