Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Hugues
Hugues
Path Finder
Member since:
09-28-2022
10-05-2022
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-28-2022 |
Activity Feed
- Posted Re: Can I change the stats limit in Splunk for the max characters? on Splunk Search. 10-06-2022 08:58 AM
- Posted Re: Can I change the stats limit in Splunk for the max characters? on Splunk Search. 10-04-2022 01:47 PM
- Posted Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 01:31 PM
- Tagged Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 01:31 PM
- Posted Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 09:25 AM
- Posted Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 07:06 AM
- Tagged Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 07:06 AM
- Posted Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 06:45 AM
- Tagged Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-04-2022 06:45 AM
- Posted Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-03-2022 12:06 PM
- Tagged Re: Can I change the stats limit in splunk for the max characters? on Splunk Search. 10-03-2022 12:06 PM
- Posted Can I change the stats limit in Splunk for the max characters? on Splunk Search. 10-03-2022 09:17 AM
- Posted Re: Concact msg from multiple event for after apply a regex on Splunk Search. 10-03-2022 08:43 AM
- Tagged Re: Concact msg from multiple event for after apply a regex on Splunk Search. 10-03-2022 08:43 AM
- Posted Re: Concact msg from multiple event for after apply a regex on Splunk Search. 09-28-2022 09:19 AM
- Posted Why am I getting this concact msg from multiple event for after apply a regex? on Splunk Search. 09-28-2022 08:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
10-06-2022
08:58 AM
Hello all, for some reason I need pass trought _raw my message before use stats. index="bnc_6261_pr_log_conf" logStreamName="*/i-*/config_Ec2_CECIO_Linux/stdout" | sort 0 _time | rex field=_raw ".*message\":(?<new_message>.*)" (add my message from _raw in new_message) | rex mode=sed field=new_message "s/\\\n/\n/g" (I lose my asci format, bring back newline) | stats list(new_message) as msg by logStreamName Machine_name account with the _raw , I keep all my events with stats command. Some expert from Splunk , start check why I need to do that ... If they find the raison I will communicate the info with you...
... View more
10-04-2022
01:47 PM
Thanks , it for all app index or it can be only apply on index="bnc_6261_pr_log_conf" ? im a newbie in splunk and im not sure if I use the right word... This change will effect anybody else in our compagnie all other search on other index? thanks again Hugues
... View more
10-04-2022
01:31 PM
All 3 messages have the field message, Check the screenshot I made ... and I lose the message 11:31:51... see screenshot when I perform this request or other type of request with eval on field message , I lose event 11:31:51 in the list msg, only 2 msg appear in List msg. if I try easy request index="bnc_6261_pr_log_conf" logStreamName="4a0dc28c-98ce-4f60-b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" AND message="*LONGOS*" , this suppose get out only the message 11:31:51, I get nothing ... The Event: output of my search on logStreamName="4a0dc28c-98ce-4f60-b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" AND message="*LONGOS*" Hugues
... View more
- Tags:
- stats
10-04-2022
09:25 AM
yes it is working if I use a raw option with a regex, all events have message field, This link with the number of characters , some max. I cannot apply this solution (ex field=_raw ".*message\":(?<new_message>.*)") on this more complexe request index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | stats list(ms) as msg by logStreamName because I have the same issue I lose the event have message with more 10 000 characters... Hugues
... View more
10-04-2022
07:06 AM
with raw option it is work index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | rex field=_raw ".*message\":(?<new_message>.*)" | eval l = len(new_message) | stats list(l) as NumberOfCar give this output Now how can solve the problem with this request index="bnc_6261_pr_log_conf" logStreamName="c36be289-86f8-4406-94ea-6933b26f9767/i-0ee87265c1f2f4fb7/PatchLinux/stdout" | stats list(ms) as msg by logStreamName Hugues
... View more
- Tags:
- stats
10-04-2022
06:45 AM
Thanks for your help. only two event output not see the event for 11:31:56 with 28973 characters I have many other exemple with this problem.... It is not the only case.... every time I have a message with more 6000 characters, may be 10 000 , it disapear when I use stats , eval and table command.... thanks for your help. I am a newbie in splunk , your help is precious! Hugues
... View more
- Tags:
- only
10-03-2022
12:06 PM
Thanks for your reply, Sorry im a newbie , I try give you much detail possible... I try give you more information. When I try this request, >index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" Output of 3 event with different message content and lenght: Event 11:31:51/ Event 11:31:16: Event 11:30:46/ If I count of length of each message, I have only two length in the output, The biggest message count are not there. All message are different , time is different and all 3 have the same logstream name. >index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval l = len(message) | stats values(l) as NumberOfCar I create this small exemple for try to explain my problem. I have same problem with a more complexe request. >index="bnc_6261_pr_log_conf" logStreamName="c36be289-86f8-4406-94ea-6933b26f9767/i-0ee87265c1f2f4fb7/PatchLinux/stdout" | stats list(message) as msg by logStreamName my list msg for each logstram name lose the biggest message when is bigger of some number of caracters, may be 10 000. Il try your request , >index=_internal sourcetype=splunkd component=linebreakingprocessor message="truncating*" and this one >index=_internal sourcetype=splunkd component=linebreakingprocessor and >index=_internal sourcetype=splunkd I have no events Thanks all ,for your help! Hugues
... View more
- Tags:
- stats
10-03-2022
09:17 AM
hello all,
My problem is I thing Splunk have max character accepted for stats command,
when i perform this search
index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout"
I see 3 event, and now if I perform this request
index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval l = len(message) | stats values(l) as NumberOfCar
I received two len, one was lose
172
6277
if I perform this statistic request :
index="bnc_6261_pr_log_conf" | logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval length=len(_raw) | stats max(length) perc95(length) max(linecount) perc95(linecount)
recived:
Max(Length):29886
perc95(Length):275756
The event I lose have effectively 28973 character, I thing the actual limit is 10 000.... I already change TRUNCATE parameter at 80 000. It for that I can load event with up to 10 000 character....
My question is, Can I change the stats limit in splunk for the max characters ? with which parameter ? and where from the web page ? can be change by non admin and for a specific source ?
Thank for your future help.
Hugues
... View more
Labels
- Labels:
-
stats
10-03-2022
08:43 AM
Hello , I find a solytion base on what you give me. index="bnc_6261_pr_log_conf" logStreamName="*/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval ms=_time + message| stats list(ms) as msg by logStreamName | rex field=msg "(?<Err_Mss>.((.*\n){0,3}).*disk\ space*((.*\n){0,3}))" Thanks fo your help Hugues
... View more
- Tags:
- Hekk
09-28-2022
09:19 AM
Thanks for your try, is not working , see the output my search base on what you give me index="bnc_6261_pr_log_conf" logStreamName="*/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | stats count by logStreamName | map maxsearches=20 search=" search index="bnc_6261_pr_log_conf" logStreamName=$logStreamName$ | stats list(message) as ms by logStreamName _time" and i try too index="bnc_6261_pr_log_conf" logStreamName="*/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | stats list(message) as ms by logStreamName _time
... View more
09-28-2022
08:13 AM
Hello All , thanks for the help, my exemple:
logStreamName:
_time
message
09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout
9/20/2211:22:23.295 AM
allo
09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout
9/20/2211:22:23.295 AM
allo1
09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout
9/20/2211:23:23.295 AM
Erreur
09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout
9/20/2211:23:24.195 AM
allo2
09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout
9/20/2211:23:24.195 AM
allo4
I want get this output, for apply after regex for extract some line around the erreur msg
logStreamName:
_time
ms
09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout
9/20/2211:22:23.295 AM
allo
allo1
Error
allo2
allo4
if i try that search
index="bnc_6261_pr_log_conf" logStreamName="*/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | stats count by logStreamName | map maxsearches=20 search=" search index="bnc_6261_pr_log_conf" logStreamName=$logStreamName$ | eval ms=_time + message| stats values(ms) by logStreamName,_time "| transaction logStreamName | rex field=ms "(?<ERROR_MESSAGE>.{0,50}Error.{0,50})"
it is not working if I perform the rex on msg, if I try use rex on logStreamName with different search string it is work, i try use transaction command for concact msg.
and I create ms variable for add time to my msg , it force too keep the order of message, it the only whey a found.
Please help me.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-05-2022
02:52 AM
|
