×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
gnandini
Observer
Member since: ‎11-14-2021
‎11-15-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-14-2021
Activity Feed
View All

Re: Splunk query with multiple for subsearches

by in Splunk Search
‎11-14-2021 08:34 PM
‎11-14-2021 08:34 PM
Hi @PickleRick  Thanks for the prompt response. I have to list all the distinct errors within the time period of 15 minutes for each occurance of specific error(Error JVM), for each host and below is the sample error log. Please let me know how to get this distinct error list. 2021-05-10 23:48:49,754 main-SendThread(48.252.152.188:2181) WARN o.a.z.s.ZooKeeperThread - ZooKeeperThread.handleException() : Exception occurred from thread main-SendThread(xx.252.xxx.188:xxxx) java.lang.OutOfMemoryError: Java heap space   Thanks, Nandini G ... View more

Splunk query with multiple for subsearches

by in Splunk Search
‎11-14-2021 10:00 AM
‎11-14-2021 10:00 AM
Hi Team, @DalJeanis  I am trying to achieve below splunk search query to find out all the errors that are causing JVM instability.       for-each host : hosts (list of hosts) for-each jvmerrorevent(event_time, early15minofevent) : jvmerrorevents (search1 will result a table (list of event_time, even_time-15 minutes as early15minofevent)) result+ = list of errors (search2 = search1+select list of errors occurred between early15minofevent and event_time) return result                                  Below query resulting error. Please suggest if any better way to achieve this. Thanks in advance. index="123apigee"  sourcetype="msg_system_log" (host="123") "ERROR JVM OUT OF MEMORY ERROR" | eval customtime= strftime(_time, "%Y-%m-%d %I:%M:%S.%3Q") | eval 15MinEarlyofEvent= strftime(_time - 900, "%Y-%m-%d %I:%M:%S.%3Q") | table 15MinEarlyofEvent,customtime | map search="search index=123apigee sourcetype=msg_system_log host=123 ERROR | _time=strftime($customtime$, "%s")"          Regards, Nandini G ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-15-2021 12:00 AM