About kumar497

kumar497 · ‎07-12-2023

Thanks it works

kumar497 · ‎07-08-2023

Hi @gcusello Thanks when you say "| search (>200 OR >250 OR >300 OR >350)", you are speaking of "| search duration>200 OR duration>250 OR duration>300 OR duration>350)", is it correct? -- yes why didn't you used only duration>350 or do you want a categorization or the resposes? -- looking for the categorisation of the responses based on each baseline value like no of events with duration > 200 and with duration > 300 etc what is "Timeduration"? -- this is simply time field (time taken by the service to respond)

kumar497 · ‎07-08-2023

Hi i am trying to plot a timechart for multiple duration windows which service is taking time to respond inorder to segregate how many requests are breaching SLA based on this timeline , is it possible to plot this kind of computation ? index=<<index name>> | rex field=_raw "duration=(?<Time>.*?)," | search (>200 OR >250 OR >300 OR >350) | chart or timechart by Timeduration example : each request has its own response time like 300, 350 ,260,360ms for each request so wanted to look for the chart or timechart based on the requests taking >200 count, >250 count, >300 count > 350 count as this has overlapping aswell to rule out how many requests are falling in each time span, can i get a help pls Thanks in advance

kumar497 · ‎02-28-2023

log event is as shown in the above thread in my log event the error field is logged with multiple error codes for different item ids or no errors yet all in each event as shown below and requirement is to get each error code split up with percentages error=138021380=404.IMS.STORE.100;500.IMS.PRICE.103:42068997=400.IMS.STORE.100 number of itemids passed in each request is logged under responseSize field which is been extracted responseSize=3 So each event has different instances of errors and responseSize for example in a event there is 3 items passed but two items has 3 different error codes as above similarly another event has different instances of errors or no errors with different item size ,so i would like to compute error ratio like ratio = (each type of error code count)/(total num of items in all events) each type error code count = (event1 no of times (404.IMS.STORE.100) +event2 no of times(404.IMS.STORE.100) +...+eventN no of times (404.IMS.STORE.100)) second error code count = (event1 no of times (500.IMS.PRICE.103) +event2 no of times (500.IMS.PRICE.103) +...+eventN no of times(500.IMS.PRICE.103)) total no of items = (event1responseSize1+event2responseSize2+.....+eventNresponseSizeN) Note: responseSize has to be considered for all events not only error related as errorcode % is determined on all the item size from all events expected output error errorcount total_items errorratio 404.IMS.STORE.100 example 62 times example 14577(total items count) 62/14577 400.IMS.OFFER.103 example 54 times example 14577(total items count) 54/14577 500.IMS.PRICE.103 example 77 times example 14577(total items count) 77/14577 so basically all different error code split up with ratio of those error percentages is the expected outcome, hope i am able to present clearly

kumar497 · ‎02-27-2023

Thanks @bowesmana tried the above approach but in certain error cases the ratio showing 100% ideally aggregation of responseSize per event be a single unique value isnt it for a time window, Is it possible to multiple (1/aggregatedvalue of all items size) * (error_count per errorcode) in this usecase Also streamstats can be used after error splitting? because responseSize count for non error events has to be also included to compute overall items count, please correct me if im wrong Thanks

kumar497 · ‎02-27-2023

Thanks @bowesmana responseSize attribute is the num of items passed in each request , im considering this field to compute the errorcode % across the overall items passed for that duration exampe if an event have 404.IMS.STORE.100 error thrice(three items) out of 10 items , i would like aggregate each such instance across the aggregation of total items for the time duration , this should include the events with responseSize that has no errors so that overall items count are covered while ratio 1st event with 3 error instances 404.IMS.STORE.100 with responseSize=10 2nd event with 5 error instances 404.IMS.STORE.100 with responseSize=25 expected ratio per error (3+5)/(10+15) Im stuck while mapping the error instances count and the total responseSize count while computing the ratio in a streaming fashion as it works individually while doing stats Thanks in advance!!

kumar497 · ‎02-27-2023

Hi All i have been trying to capture the error split up and ratio from the following sample log event which probably needs a complex regex { [-] cluster_id: us-prod-az-200 kubernetes: { [+] } log: { [-] appVersion: 0.1.326 envType: prod environment: prod-txn log: Request and Response, consumerId=xxxxxx-xxxx-xxxx, duration=144, correlationId=0-0-0, requestType=ItemDetails, requestIds=43947812:212001513:217953998:55079684:748708658:42068997:16875745:392480759:138021380:49984819:3933145:54016598:500257082:702903612:50179695:54056450, reqOfferIds=,requestPrimaryMap=, storeIds=0000, status=PARTIAL, responseSize=16, isCustomerAddressPresent=true, extPostalCode=null, fulfillmentIntent=, error=138021380=404.IMS.STORE100;500.IMS.PRICE.103:42068997=400.IMS.STORE.100:3933145=500.IMS.OFFER.100;404.IMS.PRICE.103:212001513=404.IMS.STORE.100:217953998=404.IMS.STORE.100;400.IMS.100:500257082=404.IMS.STORE.100, missingBadgeItems=138021380:702903612:55079684:49984819:54056450:3933145:217953998:392480759, pickupStoreIds= logLine: 93 methodName: Utils serverName: 11.16.251.37 time: 2023-02-27 14:43:33.999 timeStamp: 1677509013999 type: INFO } time: 2023-02-27T14:43:33.999844088Z each event is unique with error attribute is multivalued field with delimiters for each id(only incase of error) or null as shown below, ex: error=138021380=404.IMS.STORE100;500.IMS.PRICE.103:42068997=400.IMS.STORE.100:3933145=500.IMS.OFFER.100;404.IMS.PRICE.103:212001513=404.IMS.STORE.100:217953998=404.IMS.STORE.100;400.IMS.100:500257082=404.IMS.STORE.100, OR error=, my requirement is to compute each error code splitup and error ratio in a tabular fashion ratio=each error code count/total responseSize here responseSize is the number of ids passed in each request per event error count responseSize ratio 404.IMS.STORE100 aggregation of the error aggregate of responseSize round((count/responseSize)*100,2) 500.IMS.PRICE.103 aggregation of the error aggregate of responseSize can someone please help to find a better way to have the error breakdown with ratio as per the above requirement i was trying to segregate the error split up and aggregating the responseSize but the search is not giving expected results while tabulating, index=<index name> "log.envType"=prod "log.methodName”=“Utils”   | rex field=_raw "responseSize=*(?<responseSize>.+?),"  | rex field=_raw ", error=*(?<errorMap>.+), missingBadgeItems" | eval errors0=replace(errorMap, "=", ";") | eval errors1=split(errors0,":") | rex field=errors1 "(?<errorCodes>.*)" | mvexpand errorCodes | eval code=split(errorCodes, ";") | mvexpand code | table code,responseSize can someone please help..Thanks

kumar497 · ‎01-11-2023

Thanks @PickleRick for the inputs

kumar497 · ‎01-11-2023

Thank you so much @ITWhisperer this is really helpful but only constraint was around the mvexpand where the memory limits are reaching without sampling, though its working if including sampling ratio just would like to understand max(row) is the sequence number of each event after splitting the error codes isnt it, will it not generate too many events ,sorry i might be missing something stats count as error_count max(row) as total_hits by errorCodes1

kumar497 · ‎01-08-2023

yes right the event counts will not match, my intention is to compute each errorcode percentage out of the total no of requests that is logged, In this usecase error codes will be either multiple errors in a single event or no errors, so trying to extract each errorcode and also required to preserve total no of requests as "eventstats count" in the initial phase bcz further error filtering of 5xx(with like function) yields in less num of events hope i made the requirement clear

kumar497 · ‎01-08-2023

Thanks @PickleRick for your inputs yeah total event is in json and the field im trying to extract is part of a "log" attribute in the json event my intention is to compute each errorcode percentage out of the total no of requests that is logged, In this usecase error codes will be either multiple errors in a single event or no errors, so trying to extract each errorcode and also required to preserve total no of requests as "eventstats count" in the initial phase bcz further error filtering of 5xx(with like function) yields in less num of events hope i made the requirement clear Thanks i can use the below rex for error extraction which is helpful but still i am unable to compute the error % for a larger duration as the jobs getting finalized exceeding the user quota seems im missing something,

kumar497 · ‎01-06-2023

Thanks @ITWhisperer you are right I modified the search as below to compute the error ratio but disk usage is exceeding the configured limits getting the job autofinalized showing 0 events with increased time window but working only with very short duration, Is there a way to optimize further can someone please help index=<indexname> "Search String XXXXXXXXX" "Type"=prod | eventstats count as total_hits | rex field="log.log" ", errorMap=*(?<errorMap2>.+),missingFulfillmentItems" | eval errors0=replace(errorMap2, "=", ";") | eval errors1=split(errors0,":") | rex field=errors1 "(?<errorCodes>.*)" | mvexpand errorCodes | eval errorCodes1=split(errorCodes, ";") | mvexpand errorCodes1 | where like(errorCodes1,"%500.IMS.%") | stats count(errorCodes1) as error_count by errorCodes1,total_hits | eval error_ratio=round((error_count/total_hits)*100,2) | table errorCodes1,error_count,error_ratio,total_hits | sort -error_ratio

kumar497 · ‎01-04-2023

Hi All, I am trying to tabulate the error ratio based on the following scenarios from the unique log event but further using the regex to split the error code causing the total events to be filtered out causing the overall hits to be incorrect while % calculation as the initial no of unique events is not getting preserved with eventstats sample log event is in json format as below and multiple errorcodes in same log event which needs a error wise split log:<<field1>>,<<field2>>,<<field3>>,error=60KOANEWLH=500.EBS.SYSTEM.100:67MPW4X79FOJ=500.IMS.SERVEROUT.100:3534U6ZIZY39=500.EBS.SERVERIN.100;404.IMS.SERVEROUT.105:3M8TEWEKVIJK=500.IVS.XXXXX.100;404.IMS.XXXX.105:2ILTH9G0UMG1=500.IMS.XXXXXXXX.100:0UAQL48U2KWF=500.EBS.XXXXXXX.100;404.IMS.XXXXXXXXX.105, missingFulfillmentItems,<<field4>>,<<field5>>,<<field6>> i would like to get each error code % mainly (500.XX.XXXX.100 count/total hits) below is the splunk search filter been used but not getting totalevents, please correct me if there is anything missed,,could someone please assist with an alternate option to compute the error trend..Thanks in advance index=<indexname> "Search String" "Type"=prod | eventstats sum(index) as total_hits | rex field="log.log" ", error=*(?<errorMap2>.+), missingFulfillmentItems" | eval errors0=replace(errorMap2, "=", ";") | eval errors1=split(errors0,":") | rex field=errors1 "(?<errorCodes>.*)" | mvexpand errorCodes | eval errorCodes1=split(errorCodes, ";") | mvexpand errorCodes1 | where like(errorCodes1,"%500.IMS.%") | stats count by errorCodes1,total_hits Note: each log event is unique and has multiple error codes with in the event or no error codes in the event if its success

kumar497 · ‎03-17-2021

Thanks @Vardhan it helps

kumar497 · ‎03-17-2021

thanks @peter_krammer for the response, but when appending to the search giving an error and also tried in the regex101.com which seems having an issue with grouping the structure,sorry if i missed anything Error in 'rex' command: Encountered the following error while compiling the regex '(?://=(?[^:,]+))': Regex: unrecognized character after (? or (?-.

kumar497 · ‎03-17-2021

Hi all, i have been trying to extract error code which is alphanumeric and is delimited as per below but not able to extract with the rex due to the unstructured fields, will there be any way to extract this fields to do a timechart on the error codes.any help pls sample piece of log error=30578910//=404.EBS.SYSTEM.101:6NAHKFZA//=404.IMS.SERVERIN.103:2GSO0LPT//=404.IES.SERVER.105:5X3HSH18M//=404.IES.SERVEROUT.105,missingFulfillmentItems required output 404.EBS.SYSTEM.101 404.IMS.SERVERIN.103 404.IES.SERVER.105 404.IES.SERVEROUT.105

Posts	16
Solutions	1
Karma Given	0
Karma Received	0
Member Since	‎03-17-2021

Online Status	Offline
Date Last Visited	‎07-12-2023 03:37 AM

Is it possible to create multiple duration time gr...

Why the error capturing using regex?

Why am I receiving error trend stats with multiple...

Multiple values field extraction with colon delimi...

Re: multiple duration time graphs

Re: multiple duration time graphs

Is it possible to create multiple duration time gr...

Re: Why the error capturing using regex?

Re: Why the error capturing using regex?

Re: Why the error capturing using regex?

Why the error capturing using regex?

error stats with multiple codes from each event?

multiple codes from each event

Re: error trend stats with multiple error codes fr...

Re: Why am I receiving error trend stats with mult...

Re: error trend stats with multiple error codes fr...

Why am I receiving error trend stats with multiple...

Re: Multiple values field extraction with colon de...

Re: Multiple values field extraction with colon de...

Multiple values field extraction with colon delimi...