Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dezmadi
dezmadi
Path Finder
Member since:
04-01-2022
08-26-2022
Community Statistics
| Posts | 17 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 04-01-2022 |
Activity Feed
- Posted How to handle if table doesn't exist in a schema? on Splunk User Behavior Analytics. 08-26-2022 05:07 AM
- Got Karma for How to hide columnName from table?. 05-23-2022 09:46 AM
- Posted Why is loadjob retruning null? on Splunk Search. 05-23-2022 04:30 AM
- Posted How to hide columnName from table? on Splunk Search. 05-19-2022 11:27 PM
- Posted Re: How to show to line chart for failureCount, warningCounttimechart by time? on Splunk Search. 05-19-2022 10:15 PM
- Karma Re: Splunk multiple line chart date wise for ITWhisperer. 05-19-2022 10:12 PM
- Posted How to show to line chart for failureCount, warningCounttimechart by time? on Splunk Search. 05-18-2022 10:59 PM
- Posted Re: Splunk query doesn't return Count on Splunk Search. 05-10-2022 04:06 AM
- Posted Re: Splunk query doesn't return Count on Splunk Search. 05-09-2022 06:38 AM
- Posted Why does Splunk query not return Count? on Splunk Search. 05-09-2022 06:10 AM
- Posted Re: Union of two queries on Dashboards & Visualizations. 04-12-2022 01:41 AM
- Karma Re: Union of two queries for PickleRick. 04-12-2022 01:39 AM
- Karma Re: Union of two queries for PickleRick. 04-12-2022 12:50 AM
- Posted Re: Union of two queries on Dashboards & Visualizations. 04-12-2022 12:06 AM
- Posted How to get union of two in one query and extract even duplicate result? on Dashboards & Visualizations. 04-11-2022 10:46 PM
- Posted Re: How to extract ErrorCode from log messages using regex? on Splunk Enterprise. 04-04-2022 02:00 AM
- Posted Re: How to extract ErrorCode from log messages using regex? on Splunk Enterprise. 04-04-2022 01:41 AM
- Posted Re: How to extract ErrorCode from log messages using regex? on Splunk Enterprise. 04-04-2022 01:25 AM
- Posted Re: regex on Splunk Enterprise. 04-03-2022 11:38 PM
- Posted Re: regex on Splunk Enterprise. 04-01-2022 05:29 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-26-2022
05:07 AM
Hi,
I am running below query, however I am getting error saying relation "analytics_hca_change_indicator_event doesn't exist" even if table doesn't exist in any one of the schema
| koogledimen service=TenantPPASQuery action=AdhocQuery targetGroup="keng03-dev01-ins08-wfm19-dbs" app="Unknown_App/ppas_dheeraj_r9int" schema="_ALL_" query="select date(createdtm), count(*) from analytics_hca_change_indicator_event group by createdtm " | eval envstatus=if(like(scope, "%dev01%"), 1, 0)| eval wfmstatus=if(like(scope, "%wfm19%"), 1, 0) | where envstatus=1 and wfmstatus=1 | eval wfm_schemaname = mvindex(split(scope, "-"), -1).schemaname| eval wfm_schemaname = mvindex(split(scope, "-"), -1)."_".schema_name | chart sum(count) by date,wfm_schemaname
How to handle this scenario please?
... View more
Labels
- Labels:
-
development
05-23-2022
04:30 AM
I have below query as query returning null
<search id="dfLatencyOverallProcessingDelayBaseSearch">
<query>index="deng03-cis-dev-audit" | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" |spath PATH=data.labels.verbose_message output=verbose_message |
where verbose_message like "%overall_processing_delay%Dataflow Job labels%" | eval error=case(like(verbose_message,"%is above the threshold of 60.000%"), "warning", like(verbose_message,"%is above the threshold of 300.000%"), "failure") </query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
<done>
<condition>
<set token="dfLatencyOverallProcessingDelay_sid">$job.sid$</set>
</condition>
</done>
</search>
Then
SomeQuery.append [ loadjob $dfLatencyOverallProcessingDelay_sid$ | eval alertName = "Dataflow-Latency-Overall processing high delay" | stats values(alertName) as AlertName values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount]
If result from dfLatencyOverallProcessingDelay_sid are null, then AlertName is also coming as blank, I want this to be "Dataflow-Latency-Overall processing high delay"
... View more
Labels
- Labels:
-
other
05-19-2022
11:27 PM
1 Karma
I want to hide columName from 2nd row onwards for below table
<row> <panel> <title>STATS : SLI/SLO Dashboard count</title> <table> <search base="pubsubLatencyHighAckDelayDFBaseSearch"> <query> | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount</query> </search> </table>
<html depends="$dontshow$"> <style> #tableWithHiddenHeader1 thead{ visibility:hidden; display:none; } </style> </html> <table id="tableWithHiddenHeader1"> <search base="dfLatencyOverallProcessingDelayBaseSearch"> <query> | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount</query> </search> </table> </panel> </row>
However when I am using visibility:hidden; display:none; Alignment is bad, Attach is the screenshot
... View more
Labels
- Labels:
-
table
05-19-2022
10:15 PM
Thanks, it works, However I am doing like below <search id="pubsubLatencyHighAckDelayDFBaseSearch"> <query>index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") </query> <earliest>$time.earliest$</earliest> Now I want to append a line in below <row> <panel> <title>STATS : SLI/SLO Dashboard count</title> <table> <search base="pubsubLatencyHighAckDelayDFBaseSearch"></search> </table> </panel> </row> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> </search> How can we append line in <search base="pubsubLatencyHighAckDelayDFBaseSearch"></search>?
... View more
05-18-2022
10:59 PM
Hi,
I am using below query in my Dashboard
index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart
I want to show to line chart for failureCount, warningCounttimechart by time, I tried appending timechart span=1d count by failureCount, warningCounttimechart, but of no use
... View more
05-10-2022
04:06 AM
I am not able to print index in table while running below query index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | eval service = index | stats count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount | table index failureCount warningCount However with below query index is printed but I want index , warningCount and failureCount as well index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | eval service = index | table index
... View more
05-09-2022
06:10 AM
Hi, I am running below query and expecting count of failureCount, warningCount in table as total count (1 row only), however it's not returning anything, Where I am going wrong?
index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | search "data.labels.activity_type_name"="ViolationOpenEventv1" | where
(verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | eval failureCount count by error="failure" | eval warningCount count by error="warning" | table failureCount, warningCount
... View more
Labels
- Labels:
-
stats
04-12-2022
01:41 AM
Cheers , it works now, Any suggestion how can we remove passorder, splitter and totalreqorder from table, we don't want those
... View more
04-12-2022
12:06 AM
Thanks for the quick reply, however there are 2 issues with first query(If I am not applying splitter), 1: I am getting passorder and totalreqorder also as part of table, also with where passorder<=3 AND totalreqorder <=10, I am getting just 3 records In second query, its saying "Error in 'eval' command: The expression is malformed. Expected )." However format seems to be correct
... View more
04-11-2022
10:46 PM
I have two queries
index="gtw-ilb" /v1/platform/change_indicators host="*dev01*"| search sourcetype="nginx:plus:access" |eval env = mvindex(split(host, "-"), 1) | convert num(status) as response_code | eval env = mvindex(split(host, "-"), 1) |eval tenant=split(access_request, "tenantId=")| eval tenant=mvindex(tenant, 1) | eval tenant=split(tenant, "&") | eval tenant=mvindex(tenant, 0) | stats count(eval(like(response_code,"%%%"))) AS total_request count(eval(like(response_code,"4%%"))) AS error_request4 count(eval(like(response_code,"5%%"))) AS error_request5 by tenant | eval pass_percent = round(100-((error_request4+error_request5)/total_request*100),2) | where total_request >1 | table tenant, pass_percent, total_request | sort -pass_percent limit=3
And
index="gtw-ilb" /v1/platform/change_indicators host="*dev01*"| search sourcetype="nginx:plus:access" |eval env = mvindex(split(host, "-"), 1) | convert num(status) as response_code | eval env = mvindex(split(host, "-"), 1) |eval tenant=split(access_request, "tenantId=")| eval tenant=mvindex(tenant, 1) | eval tenant=split(tenant, "&") | eval tenant=mvindex(tenant, 0) | stats count(eval(like(response_code,"%%%"))) AS total_request count(eval(like(response_code,"4%%"))) AS error_request4 count(eval(like(response_code,"5%%"))) AS error_request5 by tenant | eval pass_percent = round(100-((error_request4+error_request5)/total_request*100),2) | where total_request >1 | table tenant, pass_percent, total_request | sort -total_request limit=10
These 2 queries have 90% search criteria common except sorting by column
I want to union of two in one query and extract even duplicate result, what will be that one query please?
... View more
04-04-2022
02:00 AM
Thanks a lot, it worked
... View more
04-04-2022
01:41 AM
ErrorCode exist in the event, however if there is space, it's returning as null in visualisation, For instance, in below event, we have ErrorCode: CIS-53030 (Here there is space between ErrorCode: and CIS-53030), it's showing as NULL msg: ErrorCode: CIS-53030 Events cannot be processed as WFM is not provisioned for WFM ID
... View more
04-04-2022
01:25 AM
Thanks, but I am still getting it as NULL, I have pasted it below Below is the message (Here there is a space between ErrorCode: and CIS-53030) msg: ErrorCode: CIS-53030 Events cannot be processed
... View more
04-03-2022
11:38 PM
Thanks, it worked, however in visulalization, it prints as NULL if there's a space in between For instance it prints NULL for ErrorCode: CIS-53030 However if it's ErrorCode: CIS-53031, it prints correct value as ErrorCode: CIS-53031
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-26-2022
04:13 PM
|
