Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Cranie
Cranie
Explorer
Member since:
02-12-2021
09-11-2023
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 02-12-2021 |
Activity Feed
- Posted Re: Search output replicating fields for other fields on Splunk Search. 09-11-2023 03:45 AM
- Karma Re: Search output replicating fields for other fields for yuanliu. 09-11-2023 03:44 AM
- Karma Re: Search output replicating fields for other fields for gcusello. 09-11-2023 03:44 AM
- Posted Re: Search output replicating fields for other fields on Splunk Search. 09-11-2023 02:22 AM
- Posted How to create Search output replicating fields for other fields? on Splunk Search. 09-08-2023 01:35 PM
- Got Karma for Re: Subsearch / query with inputlookup. 09-01-2023 07:57 AM
- Posted Re: Subsearch / query with inputlookup on Splunk Search. 09-01-2023 07:31 AM
- Posted Re: Subsearch / query with inputlookup on Splunk Search. 09-01-2023 07:05 AM
- Posted Re: Subsearch / query with inputlookup on Splunk Search. 09-01-2023 07:01 AM
- Posted Subsearch / query with inputlookup on Splunk Search. 09-01-2023 04:50 AM
- Posted Re: Field comparison with multi-value columns on Reporting. 05-11-2021 01:00 AM
- Posted Re: Field comparison with multi-value columns on Reporting. 02-15-2021 05:54 AM
- Posted Re: Field comparison with multi-value columns on Reporting. 02-15-2021 04:54 AM
- Posted Re: Field comparison with multi-value columns on Reporting. 02-15-2021 03:00 AM
- Posted Field comparison with multi-value columns on Reporting. 02-12-2021 09:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-11-2023
03:45 AM
Noted - done thanks for the head up. 👍
... View more
09-11-2023
02:22 AM
I could not get the solution that @yuanliu gave (in the way I needed). I have managed to get this to work, many many thanks.
... View more
09-08-2023
01:35 PM
Hi,
I am trying to run a search and have tokens setting various search items, what I need is to create a search from an input file and have one field referenced many times for different fields. My search is:
| inputlookup errorLogs
| where RunStartTimeStamp == "2023-01-26-15.47.24.000000"
| where HostName == "myhost.com"
| where JobName == "runJob1"
| where InvocationId == "daily"
| fields RunID, ControllingRunID
| uniq
| format "(" "(" "OR" ")" "||" ")"
This gives:
( ( ControllingRunID="12345" OR RunID="67890" ) )
What I would like is:
( ( ControllingRunID="12345" OR RunID="67890"
OR RunID="12345" OR ControllingRunID="67890") )
There could be many id pairs of run/controlling ID's and I want to search on any combination if possible.
... View more
- Tags:
- splunk search
Labels
- Labels:
-
field extraction
-
subsearch
09-01-2023
07:31 AM
1 Karma
After a little tweaking this gives the desired results: | inputlookup appJobLogs
| search [ | inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| fields RunID
| uniq
| format
]
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC
... View more
09-01-2023
07:05 AM
This is pretty much what I want, but there are other RunID lines that do not have the "general error" message that I want to capture also. So your example groups all RunID's and the MessageText with "general error". What I need is, all RunID entries for the RunID with MessageText "general error". I.e: RunId MessageText 1 Start 1 There has been a general error. 1 Finish 2 Start So I find the RunID 1 having the error and I want to output the start, finish and the error too. If that is possible, and in this example, not RunID 2.
... View more
09-01-2023
07:01 AM
I got an error "The 'NOT ()' filter could not be optimized for search results." I'll look into. Thanks for the suggestion
... View more
09-01-2023
04:50 AM
Apologies, I am quite new to Splunk so not sure if this is possible, I have the following simple query: | inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC This works and gets the data I need for the error I am after, but, I want all associated values for the error by RunID. So the headers are: Host, InvocationID, Name, LogID, LogTS, LogName, MessageID, MessageText, RunID, RunTS, RunName I would like to do something like: | inputlookup appJobLogs
| where RunID in [
| search appJobLogs
| where match(MessageText, "(?i)general error")
| fields RunID
] I have tried various forms and closest I got was a join which gave me the not found fields (should be fixable) but limited to 10,000 results so that seems like the wrong solution.
... View more
05-11-2021
01:00 AM
Apologies for the late reply. I struggled to log on in work place. Yes, I managed to do what I have needed and implemented the same in a more complex query for my reports. Thanks all for the help and suggestions! Really appreciate the community help.
... View more
02-15-2021
05:54 AM
This is the portion of code I have adapted from yours (my Splunk skills are not the best): | foreach RHELSupportedMax DB2SupportedMax
[ eval <<FIELD>>=split(<<FIELD>>,"|")
| mvexpand <<FIELD>>]
| eval RHELVersionMain=RHELVersion
| rex mode=sed field=RHELVersionMain "s/\..*//"
| eval RHELVersionMainMax=RHELSupportedMax
| rex mode=sed field=RHELVersionMainMax "s/\..*//"
| rex mode=sed field=RHELVersionMainMax "s/\..*//"
| eval DB2VersionMain=DB2Version
| rex mode=sed field=DB2VersionMain "s/\./&@/2"
| rex mode=sed field=DB2VersionMain "s/\.@.*//"
| eval DB2SupportedMaxMain=DB2SupportedMax
| rex mode=sed field=DB2SupportedMaxMain "s/\./&@/2"
| rex mode=sed field=DB2SupportedMaxMain "s/\.@.*//"
| where RHELVersionMain = RHELVersionMainMax
| where DB2VersionMain = DB2SupportedMaxMain This works as expected and shows the versions with the respective max version, thank you again.
... View more
02-15-2021
04:54 AM
Will check this out too, thank you, I will check with is the better solution, I have managed it using the for loop mentioned above. (not sure if there is a "best" method of doing this. Thanks for the replies.
... View more
02-15-2021
03:00 AM
Thanks for the code, will try that now. As for the reason, we have a product we use, DataStage (DS) and there are many supported Service Tier components. We have a DS inventory that collects DS, DB2 and WebSphere versions (among others). For DB2 and WebSphere there are multiple supported major versions. So, for example, we have: DS 11.5 This is supported on DB2 11.1 and 11.5 and WebSphere may be 9.0.0 and 9.0.5. I now need to check the version to max supported version and see where there are discrepancies, this will then be enhanced with patch versions for the sub products, allowing us to manage the patches across the estate. The original data collection is a little bit of a mess in terms of how it is collected and put into Splunk (3 columns and multivalue ones to work around our engineering limitations. I'll check and confirm if this does what I want - thank you again for the help.
... View more
02-12-2021
09:38 AM
\Hi, I have some data which looks likes this from a Splunk report: Server Prod1-Ver Prod1-Latest Prod2-Ver Prod2-Latest server1.com 11.7.1.2 11.7.1.2 8.2 8.3 server2.com 11.3.1.0 11.3.1.2|11.5.1.1 6.8 6.10|7.9 server3.com 11.7.0.2 11.7.1.1 7.4 6.10|7.9 I want to be able to compare the Prod-Ver to the corresponding Prod-Latest. Some of the latest ones will have different products for different point releases or, in the above example, 11.3 or 11.5 can be used, in that example, I need to check the 11.3.1.0 against the 11.3.1.2 and not the 11.5.1.1. I figure I will need to use mvexpand and have multiple rows, then exclude the ones not matching the higher point level. Is there an easier way of doing it? to do what I suggested, I think I would need to have 4 versions of the same line (more when there are other products) to cover all combinations, i.e. server2.com line in above. Thanks.
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-11-2023
05:49 AM
|
