Activity Feed
- Posted How to compare numbers before and after a special char? on Splunk Search. 05-31-2023 07:19 AM
- Posted Re: Evaluate on column in space and tab delimited logs. on Splunk Search. 05-22-2023 12:43 PM
- Posted How do I evaluate on column in space and tab delimited logs? on Splunk Search. 05-17-2023 07:22 AM
- Got Karma for Re: Fix column name and evalute times. 12-19-2022 08:16 AM
- Posted Re: Fix column name and evalute times on Splunk Search. 12-19-2022 07:53 AM
- Posted How to fix column name and evaluate times? on Splunk Search. 12-16-2022 01:42 PM
- Tagged How to fix column name and evaluate times? on Splunk Search. 12-16-2022 01:42 PM
- Posted Re: How to display only a substring of result set? on Splunk Search. 09-12-2022 01:45 PM
- Karma Re: How to display only a substring of result set? for scelikok. 09-12-2022 01:45 PM
- Posted How to display only a substring of result set? on Splunk Search. 09-12-2022 12:23 PM
- Posted Re: Create a table with max and sum values on Splunk Search. 07-14-2022 08:47 AM
- Posted Re: Create a table with max and sum values on Splunk Search. 07-14-2022 08:46 AM
- Posted How to create a table with max and sum values on Splunk Search. 07-14-2022 08:27 AM
- Posted Re: How can i search 1 host at a time when index hits a number of hosts. on Splunk Search. 02-03-2022 08:37 AM
- Posted How can i search 1 host at a time when index hits a number of hosts. on Splunk Search. 02-02-2022 10:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-31-2023
07:19 AM
Hello,
I have a log file that spits out data like the below. I want to be able to evaluate the the numbers either side of the "/" and alert if they are not the same. How can i do this? The will only be 1 "/" per line. The last line below that has "1/3" would be the only line i want returning.
The data below is not in table form in the log file, its just text.
NAME READY STATUS RESTARTS AGE
Process1 2/2 Running 0 8d
Process2ab 2/2 Running 0 8d
Process 3abc 1/3 Running 0 8d
... View more
Labels
- Labels:
-
field extraction
-
regex
05-22-2023
12:43 PM
Hey, thanks for the reply. that basically just returns whats already there. I would like to show the data as a table and be able to filter and return rows where, for example, AGE <2. At the moment it doesnt seem to recognise that data as a table and hence i cant filter on AGE, or other columns.
... View more
05-17-2023
07:22 AM
Hello all.
I have a log file that looks like this;
PROCESS UP STATUS RESTARTS AGE PROCESS1 2/2 Running 0 6d19h PROCESS2aaa 2/2 Completed 0 7d6h PROCESS3 0/1 Running 6 6d19h
I am trying to evaluate on the RESTART colum. The length of the process name is not consistent and some files are tab delimited and some are space delimited.
I cant get my rex command to work. Any help would be very appreciated.
... View more
12-16-2022
01:42 PM
I have a dbquery ouput that looks like the below, unfortunately i cant update the actual database query to make it more readable...
2022-12-16 21:30:17.689, TO_CHAR(schema.function(MAX(columnA)),'MM-DD-YYHH24:MI')="12-16-22 16:29"
I am trying to whether time the 2 times at the begining and end of the results are within 15 mins of each other. I have tried renaming the column from the long stupid string but i cant get that working using the rename function. does anyone have any ideas how to rename (or if i even need to) and then evaluate whether the times are within 15 mins of each other?
the query i ran to get the above is just <index="abc">
... View more
- Tags:
- time column rename
Labels
- Labels:
-
rex
09-12-2022
01:45 PM
thanks, that worked.
... View more
09-12-2022
12:23 PM
When i search for the string "ERROR" in a log i get the below
<
DEBUG : blah blah
INFO : blah blah blah
ERROR : <some error string>
More blah blah
>
I want to only show the whole line that starts with ERROR. The length of the error line is variable.
How can i do this?
I do understand that fixing the line breaks formatting in prop.conf might be a quicker way but i dont have access to that file so would like to do it in the result head. thanks in advance.
... View more
Labels
- Labels:
-
subsearch
07-14-2022
08:47 AM
actually it did work. i had been using 'by Category' on both fields. thanks for the help!
... View more
07-14-2022
08:46 AM
Hey, thanks for the response. yes i have and it returns the correct data for the 2 fields but it doesnt pass in the Category field which i need. How can i get all 3 fields?
... View more
07-14-2022
08:27 AM
I have a table like the below
Category | Time | Count of string
A | t-5mins | 18
A | t-10mins | 7
A | t-15mins | 10
A | t-20 mins | 1
B | t-5mins | 6
B | t-10 mins | 18
I would like to create a table with the latest (max) time and the sum of the count by category so that i get this
Category | Max Time | Sum
A | t-5mins | 36
B | T-5mins | 24
I can get the max time and the sum individually into a table but am having issues getting them both into 1 table - the time and sum values are coming up blank.
Can someone advise please?
... View more
02-03-2022
08:37 AM
Thanks for the reply.. one small update to my original post is that it should read "duration > 2" at the end. to clarify - both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert. So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.
... View more
02-02-2022
10:33 AM
I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB. It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10. How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts. current logic is: index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2
... View more
Labels
- Labels:
-
stats
