Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sashpdhar
sashpdhar
Explorer
Member since:
11-26-2021
11-29-2021
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-26-2021 |
Activity Feed
- Posted Re: Join two data sets to report their event times on Splunk Search. 11-28-2021 05:53 PM
- Posted Re: Search for a specific pattern and report earliest and latest occurence of that each day on Splunk Search. 11-28-2021 05:50 PM
- Posted Re: Search for a specific pattern and report earliest and latest occurence of that each day on Splunk Search. 11-27-2021 01:54 PM
- Posted Re: Join two data sets to report their event times on Splunk Search. 11-27-2021 01:24 PM
- Posted Re: Search for a specific pattern and report earliest and latest occurence of that each day on Splunk Search. 11-27-2021 08:00 AM
- Tagged Re: Search for a specific pattern and report earliest and latest occurence of that each day on Splunk Search. 11-27-2021 08:00 AM
- Posted Join two data sets to report their event times on Splunk Search. 11-27-2021 07:57 AM
- Posted Search for a specific pattern and report earliest and latest occurence of that each day on Splunk Search. 11-26-2021 07:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
11-28-2021
05:53 PM
thanks @ITWhisperer , it works after that correction. Sorry first time doing SPL commands , so overlooked the extra '|' before join
... View more
11-28-2021
05:50 PM
thanks for pointing it out @PickleRick , my first attempt with SPL commands
... View more
11-27-2021
01:54 PM
Thanks @PickleRick , that did not provide and format in the expected output Basically want to grab unique patterns from Incomming and it's a_time , and then want the p_time from Internal for all those patterns ( looks like outer join of two sets but not working ) Below is the query index="Blah" source="Blah" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time,s_json
| table _time,s_json,a_time
| join type=outer
| [ search index="Blah" source="Blah" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as p_time by _time,s_json
| table _time,s_json,p_time
]
| convert ctime(a_time)
| convert ctime(p_time) Getting the below error Error in 'from' command: Option 'type=outer' is invalid. But both individual queries independently give the desired result set like Date1 , j1, [a_time|p_time]
Date1 , j2, [a_time|p_time]
Date2 , j3, [a_time|p_time]
Date2 , j1, [a_time|p_time]
.........
... View more
11-27-2021
01:24 PM
Thanks you , getting below error Error in 'from' command: Invalid dataset specifier 's_json', expected dataset-type:dataset-name. Verify your search string. Query - index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
| [search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as p_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(p_time)
| stats values(a_time) as a_time values(c_time) as p_time by _time s_json
| table _time,s_json,a_time,p_time
... View more
11-27-2021
08:00 AM
trying to achieve something like this @PickleRick want to report a json pattern for each day and grab event times from different logs for that pattern , tried something like this but not working as expected , need suggestions. Current Query index="blah" source="*blah*" "Incomming" | rex "Incomming: (?<s_json>.*])" | timechart span=1d earliest(_time) as a_time by s_json | join type=outer s_json [ search index="blah" source="*blah*" "Internal" | rex "Internal: (?<s_json>.*])" | timechart span=1d latest(_time) as c_time by s_json ] | convert ctime(a_time) | convert ctime(c_time) | table _time,s_json,a_time,c_time Expected - Date1 , j1 , a_time,c_time Date1,j2,a_time,c_time Date2,j3,a_time,c_time Date3,j4,a_time,c_time Date4,j1,a_time,c_time Date4,j2,a_time,_ctime Each day can have its own unique patterns ( j1,j2,j3,j4 ... ) , so need to dyamicallly pick that for that day and report a_time and c_time for those patterns each day
... View more
- Tags:
- ying to
11-27-2021
07:57 AM
want to report a pattern for each day and grab event times from different logs for that pattern , tried something like this but not working as expected , need suggestions. Current Query index="blah" source="*blah*" "Incomming" | rex "Incomming: (?<s_json>.*])" | timechart span=1d earliest(_time) as a_time by s_json | join type=outer s_json [ search index="blah" source="*blah*" "Internal" | rex "Internal: (?<s_json>.*])" | timechart span=1d latest(_time) as c_time by s_json ] | convert ctime(a_time) | convert ctime(c_time) | table _time,s_json,a_time,c_time Expected - Date1 , j1 , a_time,c_time Date1,j2,a_time,c_time Date2,j3,a_time,c_time Date3,j4,a_time,c_time Date4,j1,a_time,c_time Date4,j2,a_time,_ctime Each day can have its own unique patterns ( j1,j2,j3,j4 ... ) , so need to dyamicallly pick that for that day and report a_time and c_time
... View more
11-26-2021
07:07 PM
Team - looking for ideas how to achieve the below scenario Query 1 - get list of unique patterns for each day Query 2 - for the list of above patterns get earliest occurence for each day Query 3 - for the list of above patterns get latest occurence for each day Report - Day , Pattern , earliest time , latest time Note - Query 1, 2,3 are all different search queries , as they all are in different log lines
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-29-2021
08:24 AM
|
