Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About praneethlekkala
praneethlekkala
Path Finder
Member since:
03-07-2021
06-22-2023
Community Statistics
| Posts | 26 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 0 |
| Member Since | 03-07-2021 |
Activity Feed
- Posted CPU Usage Alert not working on Splunk Search. 05-12-2023 05:33 AM
- Tagged CPU Usage Alert not working on Splunk Search. 05-12-2023 05:33 AM
- Posted Issue with Alerting- Why is it not working anymore? on Other Usage. 04-27-2023 06:33 AM
- Posted Re: Active User count in the application not working on Getting Data In. 11-09-2021 02:43 PM
- Karma Re: Active User count in the application not working for richgalloway. 11-09-2021 02:42 PM
- Posted Active User count in the application not working on Getting Data In. 11-09-2021 05:33 AM
- Posted Splunk Alert when the time taken is greater than 50000 ms on Getting Data In. 08-20-2021 01:50 AM
- Tagged Splunk Alert when the time taken is greater than 50000 ms on Getting Data In. 08-20-2021 01:50 AM
- Posted Re: Splunk Alert when the time taken is greater than 50000 ms on Getting Data In. 08-19-2021 09:44 PM
- Posted Re: Splunk Alert when the time taken is greater than 50000 ms on Getting Data In. 08-19-2021 09:32 PM
- Posted Splunk Alert when the time taken is greater than 50000 ms on Getting Data In. 08-19-2021 09:18 PM
- Tagged Splunk Alert when the time taken is greater than 50000 ms on Getting Data In. 08-19-2021 09:18 PM
- Posted Re: Stats Calculate Time Taken to Copy the Indexes on Dashboards & Visualizations. 06-08-2021 12:43 AM
- Posted Re: Stats Calculate Time Taken to Copy the Indexes on Dashboards & Visualizations. 06-08-2021 12:34 AM
- Posted Re: Stats Calculate Time Taken to Copy the Indexes on Dashboards & Visualizations. 06-08-2021 12:06 AM
- Karma Re: Stats Calculate Time Taken to Copy the Indexes for ITWhisperer. 06-08-2021 12:06 AM
- Posted Re: Stats Calculate Time Taken to Copy the Indexes on Dashboards & Visualizations. 06-07-2021 08:46 PM
- Tagged Re: Stats Calculate Time Taken to Copy the Indexes on Dashboards & Visualizations. 06-07-2021 08:46 PM
- Karma Re: Need Help on alerts for ITWhisperer. 05-25-2021 06:01 AM
- Posted Need Help on alerts on Alerting. 05-23-2021 08:39 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-12-2023
05:33 AM
We have the following alert to check if the CPU is >=85 and alert us for some reason its not working, it worked till 14th April 2023 but not after that index=index host=12345 sourcetype="PerfmonMk:CPU" | stats avg(cpu_load_percent) as CPUUSAGE by host | where CPUUSAGE >= 85 Our Data is listed as below: 4/30/23 11:59:56.000 PM 0 15.797067520866204 7.498591389607462 8.27969465935824 1842.8858123299901 0 0 10.299361837763916 0 82.45220035416348 3.466196874917047 78.98600347924642 0 89.49445480387092 1437.5109298999423 0 %_Processor_Time = 15.797067520866204 cpu_load_percent = 15.797067520866204 host = 12345 source = PerfmonMk:CPU sourcetype = PerfmonMk:CPU 4/30/23 11:59:56.000 PM 1 10.32934463261076 5.311502234305285 4.999060926404974 1399.9132595018916 0 0 52.3967534270708 0 88.2533286122202 3.1865844001204375 85.06674421209975 0 102.49364935638849 847.3474972156449 0 %_Processor_Time = 10.32934463261076 cpu_load_percent = 10.32934463261076 host = 1234 source = PerfmonMk:CPU sourcetype = PerfmonMk:CPU 4/30/23 11:59:56.000 PM 2 7.673593515458121 2.6557511171526427 4.999060926404974 1328.2177018545447 0 0 6.599591080508917 0 90.14091802854833 2.2141230769799893 87.92679495156834 0 45.59717473806161 910.1436062847298 0 %_Processor_Time = 7.673593515458121 cpu_load_percent = 7.673593515458121 host = 1234 source = PerfmonMk:CPU sourcetype = PerfmonMk:CPU
... View more
- Tags:
- alert
Labels
- Labels:
-
stats
04-27-2023
06:33 AM
Hi
I have an issue with alerting and its not working anymore, what am i doing wrong?
My Query:
index="content" source="catalina.out" "org.apache.catalina.startup.Catalina.start Server startup" NOT Caesium | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds
| eval epoch_time = _time
| eval boot_sec = boot_time * 0.001
| eval boot_min = boot_sec/60
| eval sub_time = epoch_time - boot_sec
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S")
| eval human_sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S")
| table human_epoch_time boot_sec boot_min human_sub_time host
Output:
I am not getting the duration anymore
:Alert email that i am getting doesnt contain duration , initiated at :
application has been started on node host.
Start Up Initiated at .
Start Up Completed at 23-04-27 07:46:12 .
Start Up Duration is minutes .
human_epoch_time boot_sec boot_min human_sub_time host
23-04-27 07:46:12
host
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
email
11-09-2021
02:43 PM
@richgalloway Thanks, It worked!!
... View more
11-09-2021
05:33 AM
I want to know the active user count of an application, the following is the query i created, however its not giving the out put, can someone guide please? index=application host=Server Name sourcetype="Applicationprod-console-logs" "[AccessLogFilter]" | rex "^\S+ \S+ \S+ \S+ \S+ (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb" | timechart span=15m dc(USER) as Application _User I am getting the following out put: _time application_User 1 2021-11-09 00:00:00 0 2 2021-11-09 00:15:00 0 3 2021-11-09 00:30:00 0 4 2021-11-09 00:45:00 0 The Logs if i run the following query shows that there is the User ID in the output: index=application host=Server Name sourcetype="Applicationprod-console-logs" "[AccessLogFilter]" Output: 2021-11-09 08:29:12,787 INFO [http-nio-127.0.0.1-8085-exec-101 url: /deploy/viewDeploymentProjectEnvironments.action] [AccessLogFilter] USERID GET application.url.action?id=665059902 4320055kb host = Server source = location = application-prod-console-logs
... View more
Labels
- Labels:
-
monitor
-
sourcetype
08-20-2021
01:50 AM
I figured out the following, can this be tweaked? sourcetype="access_log" host=hstname* USERID "search" | eval headers=split(_raw," ") | eval method=mvindex(headers,5) | eval Request=mvindex(headers,6) | eval Status=mvindex(headers,8) | eval Payload=mvindex(headers,9) | eval req_time=mvindex(headers,10) | eval uri=mvindex(headers,11) | eval Method=replace(method,"\"","") | eval uri=replace(uri,"\"","") | eval RequestTime_Seconds = req_time*0.001 | eval Response_Time_in_Seconds= round(RequestTime_Seconds,2) | table Response_Time_in_Seconds host _time Request Status | where Response_Time_in_Seconds > 5 The Output i get: Response_Time_in_Seconds host _time Request Status 1 5.89 HOSTNAME 2021-08-20 02:40:31 /rest/api/2/search 200 2 7.34 HOSTNAME 2021-08-20 04:42:25 /rest/api/2/search 200
... View more
- Tags:
- alert
08-19-2021
09:44 PM
@venkatasri 30.X.X.X 7x4697381x3 USERID[20/Aug/2021:00:07:07 -0400] "POST /rest/api/2/search HTTP/1.1" 200 63 243 "-" "APP.Api/10.98.3.17993 APP/10.98.3.17993 (Microsoft Windows NT 6.2.9200.0)" "1duei1d";52.14.54.126, 30.x.x.x, 30.x.x.x https-jsse-nio-8443-exec-142 host = hostnamesource = /access_log.2021-08-20sourcetype = access from the above its 243 is the time taken. 200 is the status and 63 is bytes sent
... View more
08-19-2021
09:32 PM
@venkatasri its in milli seconds
... View more
08-19-2021
09:18 PM
Hi We would like to create a splunk alert for long running requests. If the request exceeds 5000ms then we should get an alert. Search Query : sourcetype="access:log" host=hostname* USERID "search" The out put that we get is: 8/20/21 12:07:07.000 AM 30.X.X.X 7x4697381x3 USERID[20/Aug/2021:00:07:07 -0400] "POST /rest/api/2/search HTTP/1.1" 200 63 243 "-" "APP.Api/10.98.3.17993 APP/10.98.3.17993 (Microsoft Windows NT 6.2.9200.0)" "1duei1d";52.14.54.126, 30.x.x.x, 30.x.x.x https-jsse-nio-8443-exec-142 host = hostnamesource = /access_log.2021-08-20sourcetype = access Is there a way we can accomplish this?
... View more
- Tags:
- alert
06-08-2021
12:43 AM
@ITWhisperer Got it changed the bin query to "bin _time span=1d as day" The following result is what i am getting day host starttime completetime completeminutes duration 1620532800 host 2021-05-09 21:58:04 1620619200 host 2021-05-10 05:09:17
... View more
06-08-2021
12:34 AM
@ITWhisperer Thanks When i run the query it says "Error in 'bin' command: Invalid argument: 'day'"
... View more
06-08-2021
12:06 AM
@ITWhisperer I modified the query included bin however i couldn't fig out how to include day in the by clause of the stats command. host=hostname* "Index restore*" | eval starttime=if(match(_raw,"Index restore started"),_time,null) | eval completetime=if(match(_raw,"Index restore complete"),_time,null) | stats latest(starttime) as starttime latest(completetime) as completetime by host | fieldformat starttime=strftime(starttime,"%Y-%m-%d %H:%M:%S") | fieldformat completetime=strftime(completetime,"%Y-%m-%d %H:%M:%S") | eval duration=tostring(completetime-starttime,"duration") | eval completeminutes=floor((completetime-starttime)/60) | bin span=30d _time
... View more
06-07-2021
08:46 PM
@ITWhisperer The search query that i use is the following: host=hostname* "Index restore*" | eval starttime=if(match(_raw,"Index restore started"),_time,null) | eval completetime=if(match(_raw,"Index restore complete"),_time,null) | stats latest(starttime) as starttime latest(completetime) as completetime by host | fieldformat starttime=strftime(starttime,"%Y-%m-%d %H:%M:%S") | fieldformat completetime=strftime(completetime,"%Y-%m-%d %H:%M:%S") | eval duration=tostring(completetime-starttime,"duration") | eval completeminutes=floor((completetime-starttime)/60) When i select last 30 days: it gives the latest log entry and the entry from a month ago. host starttime completetime completeminutes duration hostname 2021-05-09 21:58:04 2021-05-10 05:09:17 431 07:11:12.247 hostname 2021-06-06 12:42:21 2021-06-06 12:50:10 7 00:07:49.396 hostname 2021-06-06 12:42:20 2021-06-06 12:50:05 7 00:07:45.268 hostname 2021-06-06 12:42:22 2021-06-06 12:50:25 8 00:08:03.316 hostname 2021-06-06 12:42:22 2021-06-06 12:51:01 8 00:08:38.956 hostname 2021-06-06 12:42:22 2021-06-06 12:49:58 7 00:07:35.255 hostname 2021-06-06 12:42:23 2021-06-06 12:49:50 7 00:07:27.548 The search query though gives the log entry from every week: host=hostname* "Index restore*" Have the entries from May 9th May 15th May 23rd May 30th June 6th Why am i not getting this in the statistics but get only the latest log entry?
... View more
- Tags:
- panel
05-23-2021
08:39 PM
Hi I have created an alert which checks the transaction's response time, if the response time is more than 10 mins splunk will send an email alert Here is the search query: sourcetype="access_log" host=hostname* | eval headers=split(_raw," ") | eval username=mvindex(headers,2) | eval method=mvindex(headers,5) | eval Request=mvindex(headers,6) | eval Status=mvindex(headers,8) | eval Payload=mvindex(headers,9) | eval req_time=mvindex(headers,10) | eval uri=mvindex(headers,11) | eval Method=replace(method,"\"","") | eval uri=replace(uri,"\"","") | eval RequestTime_Minutes = req_time*0.0000166667 | eval Response_Time_in_Minutes= round(RequestTime_Minutes,2) | table Response_Time_in_Minutes host username _time uri Request Status | search Response_Time_in_Minutes > 10 My Question: I want to exclude 1 particular transaction: "searchrequest-excel-all-fields" I do not want the alerts if its the above mentioned transaction since it doesn't affect our app in any way, how do i go about it?
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
email
05-12-2021
08:07 AM
@ITWhisperer Thanks but the output is like the following... day host starttime completetime 2021-05-05 hostname 1620228103.281 2021-05-05 hostname 1620228045.815 2021-05-05 hostname 1620228474.435 2021-05-05 hostname 1620228646.272 2021-05-05 hostname 1620228205.655 2021-05-05 hostname1620227386.055 2021-05-09 hostname1620611884.843 2021-05-10 hostname1620637757.090
... View more
05-12-2021
07:13 AM
@ITWhisperer Based on the range and the search, it looks like this takes the last 7 days and finds the latest start and complete times and uses those. What we really want to see is how long it takes each day so that we can compare day over day. As we are seeing that reindexing is taking a long time lately, we would probably then choose a range of 30 days or even longer to get a comparison.
... View more
05-04-2021
11:20 PM
@ITWhisperer Thanks thanks, can we calculate the number of minutes as a column?
... View more
05-04-2021
06:00 AM
@ITWhisperer thanks, can we calculate the number of minutes as a column? Rather than giving the result in hours?
... View more
05-04-2021
04:57 AM
@ITWhisperer Thanks i tried the query and got the following, how to make it readable? host starttime completetime Hostname 1620017696.169 1620018391.676
... View more
- Tags:
- panel
05-04-2021
01:27 AM
@ITWhisperer Thanks for the reply. Here is the Index Start Event: 5/4/21 2:43:26.502 AM 2021-05-04 02:43:26,502-0400 NodeReindexServiceThread:thread-0 INFO [c.a.j.index.ha.DefaultIndexCopyService] Index restore started. Total 3561438 issues on instance before loading Snapshot file: IndexSnapshot_39801.tar.sz host = hostname source = application.log The Following is the Index Completed Event , inned the duration from the time it started to when its complete by the hostname please. 5/3/21 1:08:10.843 AM 2021-05-03 01:08:10,843-0400 NodeReindexServiceThread:thread-0 INFO [c.a.j.index.ha.DefaultIndexCopyService] Index restore complete. Total 3653227 issues on instance host = hostname source = application.log
... View more
- Tags:
- panel
05-04-2021
01:16 AM
- Tags:
- panel
05-03-2021
08:31 PM
Our Application does a nightly re-index on node 1, once thats complete, the index build is copied to 6 other nodes, Each of the other nodes then restore the files. These entries are noted as "Index restore started." and "Index restore complete." in the application logs. I would like to have a dashboard panel that shows how long it takes from "started" to "complete" on each host to be able to see trends for this over time. How to go about this?
... View more
- Tags:
- dashboard
Labels
- Labels:
-
panel
03-07-2021
11:07 PM
I am trying to create a splunk alert, which sends an email if a key value is missing. host="myhost" sourcetype="access_log" "Key_Word in the access logs'" Usually i get the log entries every 30 mins, i want to get alerted via an email if "Key_Word in the access logs" is missing from the access logs, can someone guide me on this?
... View more
Labels
- Labels:
-
alert action
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-22-2023
11:59 AM
|
