Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Splunk_321
Splunk_321
Path Finder
Member since:
11-11-2022
08-24-2023
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 11-11-2022 |
Activity Feed
- Posted How to filters results and convert rows to columns? on Splunk Search. 08-24-2023 04:22 AM
- Posted How to Calculate the difference between two rows of a column? on Splunk Search. 08-22-2023 01:55 AM
- Posted Re: Unable to read lengthy messages into fields on Splunk Search. 05-15-2023 03:51 AM
- Posted How to read lengthy messages into fields? on Splunk Search. 05-14-2023 10:17 PM
- Posted Re: How to group multiple methods responsetime into intervals and obtain count? on Splunk Search. 05-09-2023 09:49 PM
- Karma Re: How to group multiple methods responsetime into intervals and obtain count? for VatsalJagani. 05-09-2023 09:47 PM
- Posted How to group multiple methods responsetime into intervals and obtain count? on Splunk Search. 05-09-2023 01:52 AM
- Posted Re: How to join two savedsearches based on a column and do a time comparison? on Splunk Search. 12-07-2022 12:30 AM
- Posted Re: How to join two savedsearches based on a column and do a time comparison? on Splunk Search. 12-06-2022 01:04 AM
- Posted How to join two savedsearches based on a column and do a time comparison? on Splunk Search. 12-05-2022 08:46 AM
- Posted Re: Extract bunch of UUIDs from a string using regex on Splunk Search. 12-04-2022 09:46 PM
- Karma Extract bunch of UUIDs from a string using regex for yuanliu. 12-04-2022 09:44 PM
- Karma Re: Extract bunch of UUIDs from a string using regex for ITWhisperer. 12-02-2022 01:13 AM
- Posted How to extract bunch of UUIDs from a string using regex? on Splunk Search. 12-02-2022 12:21 AM
- Posted Expand two fields in the json array into table from multiple events on Splunk Search. 11-29-2022 10:07 PM
- Posted Re: Help with mvexpand limits, one issue is the memory limit, the other is that it only applies to one field on Splunk Search. 11-29-2022 03:30 AM
- Karma Help with mvexpand limits, one issue is the memory limit, the other is that it only applies to one field for ITWhisperer. 11-29-2022 03:13 AM
- Posted How to find differences between two saved searches based on a common field? on Splunk Search. 11-27-2022 11:06 PM
- Posted Re: mvexpand limits on Splunk Search. 11-25-2022 04:08 AM
- Karma Re: mvexpand limits for FrankVl. 11-25-2022 04:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-24-2023
04:22 AM
I have a splunk query to get execution time of methods shown below
basesearch
| where like(method,"A") OR like(method,"B")
| table method,time
This will show execution time of method A and method B present in the same flow for multiple calls.
Results are something like below
method time
A 110
B 95
A 120
A 110
B 101
A 110
B 95
A 125
A 115
B 80
B 85
B 90
I want to filter results such that execution time of A>=110 and corresponding execution time of B
something like below
A B
110 85
120 101
110 95
125 100
115 95
... View more
- Tags:
- filtered results
- rows
Labels
- Labels:
-
stats
08-22-2023
01:55 AM
I have a splunk query shown below.
basesearch
| stats avg(time) as executionTime by method
which results in table like below
method executionTime
A 110.350
B 90.150
I want to obtain executionTime difference between method A and B in a table result
A-B = 20.20
Please help me with splunk query to get the same.
Thanks in advance!
... View more
Labels
- Labels:
-
stats
05-15-2023
03:51 AM
@gcusello Thanks! Seems some visualization issue. Tried to read 10,000 or 10,240 characters but no luck. Btw, what do you mean by changing the chars dimension? Any other comments would be appreciated.
... View more
05-14-2023
10:17 PM
Hi,
I am trying to read a field msg.logMessage.error into table. This field is having character length of upto 22,000. I need to read this field into table and when I try below it is giving blank.
basesearch | table msg.logMessage.error
Actually, I can show first 2000 characters of this error as well, So I tried this as well, but no luck
basesearch | eval error = substr(msg.logMessage.error,1,2000) | table error
I tried having single and double quotes around msg.logMessage.error but no luck.
Not sure If I need to modify some splunk settings to read such fields into table.
Can anyone please help me with the soluntion.
Thanks in Advance!
... View more
Labels
- Labels:
-
field extraction
-
fields
-
table
05-09-2023
09:49 PM
This helps. Thank you for the solution!
... View more
05-09-2023
01:52 AM
Hi All, I have a requirement where I need to group count of methods responsetime into different time intervals. Below is what I tried basesearch
| eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000)
| rex field=gwrequesturi "(?<prefix>\S+)/locations/(?<method>\w+[^/?])"
| table ResponseTime method This is resulted in below output ResponseTime Method 330 A 1627 B 1025 B 3126 A 2034 B .......................... ............... I have two possibilities for method (Say for ex: A and B) I want to get results something like below (Responsetime and count of each method falling in that interval) ResponseTime A B <=1000 4 8 >1000 and <=3000 11 25 >3000 and <=5000 35 23 >5000 2 4 Can someone help me with the query! Thanks in advance!
... View more
12-07-2022
12:30 AM
@richgalloway Thanks for your reply. I tried something like below, but what I realized is stats command is only propagating only LocationId and flag fields and hiding the time. Hence not able to make time comparison. If I check matches_time, metrics_time fields after stats command, those are blank. | savedsearch "savedsearch1"
| eval flag="match"
| rename _time as matches_time
| append maxtime=1800 timeout=1800
[ savedsearch "savedsearch2"
| eval flag="metric"
| rename _time as metrics_time]
| stats values(flag) as flag by LocationId
| where (flag="metric" and flag!="match") or (flag="metric" and flag="match" and metrics_time<matches_time)
| table LocationId Is there any other way to achieve this. May be a different one rather than append mechanism.
... View more
12-06-2022
01:04 AM
@richgalloway Thanks for your response. I don't want to get min of time out of those two locationIds. The moment I see LocationId in both the reports, I want to ensure that savedsearch1._time > savedsearch2._time. In a simple coding language it could be..... ################################################ var LocationIdList; //add if it is present in savedsearch2 but not in savedsearch1 if(savedsearch2.contains(LocationId) && !savedsearch1.contains(LocationId)){ LocationIdList.add(LocationId); } //if it is present in both if (savedsearch2.contains(LocationId) && savedsearch1.contains(LocationId)){ //add only when savedsearch1 occurs later than savedsearch2 if (savedsearch1._time>savedsearch2._time){ LocationIdList.add(LocationId); } } ################################################
... View more
12-05-2022
08:46 AM
I have two savedsearches
savedsearch1: | basesearch | stats count by _time, LocationId
savedsearch2: | basesearch | count by _time, LocationId
I want to track monitoring LocationIds based on below criteria 1) LocationIds which are present in savedsearch2 but not in savedsearch1 2) LocationId if present in both reports, include those LocationIds with savedsearch1 timestamp>savedsearch2 timestamp, otherwise exclude it
I could get LocationIds which are only present in savedsearch2 using below query, but not able to make time comparison
##################################################
| savedsearch "savedsearch1" | eval flag="match" | append maxtime=1800 timeout=1800 [ savedsearch "savedsearch2" | eval flag="metric"] | stats values(flag) as flag by LocationId | where flag="metric" and flag!="match" | table LocationId
##################################################
Any help would be appreciated!
... View more
Labels
- Labels:
-
join
12-04-2022
09:46 PM
Great approach to filter the required data. Appreciate your help. Btw, I was the developer who is new to splunk😄
... View more
12-02-2022
12:21 AM
Hi,
I have a string in splunk logs something like below.
msg.message="Matches Logs :: Logger{clientId='hFKfFkF-K7jlp5epzCnZASazoYmXxgUzBLQ8cixb7f23afb8', apiName='Matches', apiStatus='Success', error='NA', locationIdMerchDetail=[6d65fcb6-8885-4f56-93c1-7050c8bef906 :: QUALITY COLLISION 1 LLC :: 1, e5ff5b47-839c-4ed0-86a3-87fc18f4bfda :: P A JOLLY'S LLC :: 2, 2053428f-f6ba-4038-a03e-4dbc8737c37d :: CREATIVE EXCELLENCE SALON LLC :: 3, c3e9e6fc-8388-49fd-ba7b-3b9d76f5f9ea :: QUALITY SERVICES AND APP :: 4, 75ca5712-f7a1-4a63-a69f-d73c8e7d187b :: FREEDOM COMICS LLC :: 5, e87a96e8-de73-47f8-bfbd-6099c83376f7 :: S AND G STORES LLC :: 6, 732f9d61-3916-4664-9601-dd0745b68837 :: QUALITY RESALE :: 7, d666bef7-e2fa-498f-a74f-e80f6d2701e7 :: CAKE ART SUPPLIES LLC :: 8, 23ca4856-5908-4bd6-b90d-cace07036b05 :: INTUIT PAYMENT SOLUTIONS, LLC :: 9, b583405f-bb3d-4dba-9bb3-ee9b3713b8f7 :: LA FIESTA TOLEDO LLC :: 10], numReturnedMatches='10'}"
My string contains locationIdMerchDetail as highlighted above. I need to extract locationId, rank into table first item being locationid and last item being rank in every comma separated item.
Ex: In 6d65fcb6-8885-4f56-93c1-7050c8bef906 :: QUALITY COLLISION 1 LLC :: 1
locationId : 6d65fcb6-8885-4f56-93c1-7050c8bef906
rank: 1
I am able to extract locationIds into table, using below query, but not sure how to include corresponding rank
######################################
index=app_pcf AND cf_app_name="credit-analytics-api" AND message_type=OUT AND msg.logger=c.m.c.d.MatchesApiDelegateImpl | rex field=msg.message "(?<LocationId>[0-9a-f]{8}-([0-9a-f]{4}\-){3}[0-9a-f]{12})" | table LocationId
######################################
I want a table something like below.
LocationId rank
6d65fcb6-8885-4f56-93c1-7050c8bef906 1
e5ff5b47-839c-4ed0-86a3-87fc18f4bfda 2
2053428f-f6ba-4038-a03e-4dbc8737c37d 3
..............................................................................................................
and so on
Any regex to filter these into table.
Please help.
... View more
Labels
- Labels:
-
field extraction
-
regex
11-29-2022
10:07 PM
I am trying to expand couple of fields (locationId, matchRank) using mvexpand. But it only works for shorter duration upto 7days. I want to do this for upto 30 days. My matched_locations json array can have atmost 10 items in it with the presence of both locationId and an associated matchRank in it. We can identify the number of items in matched_locations by msg.logMessage.numReturnedMatches field. I have thousands of such events. Below is the query which is working for shorter duration of time, but timing out for longer duration. ############################################################# index=app_pcf AND cf_app_name="credit-analytics-api" AND message_type=OUT AND msg.logger=c.m.c.d.MatchesApiDelegateImpl | search "msg.logMessage.numReturnedMatches">0 | eval all_fields = mvzip('msg.logMessage.matched_locations{}.locationId','msg.logMessage.matched_locations{}.matchRank') | mvexpand all_fields | makemv delim="," all_fields | eval LocationId=mvindex(all_fields, 0) | eval rank=mvindex(all_fields,1) | fields LocationId, rank | table LocationId, rank ############################################################# Below is the sample splunk data for one such event. ########################################################### cf_app_name: myApp cf_org_name: myOrg cf_space_name: mySpace job: diego_cell message_type: OUT msg: { application: myApp correlationid: 0.af277368.1669261134.5eb2322 httpmethod: GET level: INFO logMessage: { apiName: Matches apiStatus: Success clientId: oh_HSuoA6jKe0b75gjOIL32gtt1NsygFiutBdALv5b45fe4b error: NA matched_locations: [ { city: PHOENIX countryCode: USA locationId: bef26c03-dc5d-4f16-a3ff-957beea80482 matchRank: 1 merchantName: BIG D FLOORCOVERING SUPPLIES postalCode: 85009-1716 state: AZ streetAddress: 2802 W VIRGINIA AVE } { city: PHOENIX countryCode: USA locationId: ec9b385d-6283-46f4-8c9e-dbbe41e48fcc matchRank: 2 merchantName: BIG D FLOOR COVERING 4 postalCode: 85009 state: AZ streetAddress: 4110 W WASHINGTON ST STE 100 } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } ] numReturnedMatches: 10 } logger: c.m.c.d.MatchesApiDelegateImpl } origin: rep source_instance: 1 source_type: APP/PROC/WEB timestamp: 1669261139716063000 } ###########################################################
... View more
Labels
- Labels:
-
field extraction
-
search job inspector
11-29-2022
03:30 AM
@ITWhisperer and @FrankVl I am trying to expand couple of fields (locationId, matchRank) using the method suggested above. But it only expands last entry in the list and results doesn't contain all the entries from both the lists. My matched_locations json array can have atmost 10 items in it with the presence of both locationId and matchRank Below is the query which I am trying out... ############################################################# index=app_pcf AND cf_app_name="myApp" AND message_type=OUT AND msg.logger=c.m.c.d.MatchesApiDelegateImpl | search "msg.logMessage.numReturnedMatches">0 | spath | fillnull value="0" | eval steps=max(mvcount('msg.logMessage.matched_locations{}.locationId'),mvcount('msg.logMessage.matched_locations{}.matchRank')) | streamstats sum(steps) as toprow | eval maxrow=toprow | append [| makeresults | eval toprow=1 | fields - _time] | eventstats min(maxrow) as firsttop | where isnotnull(maxrow) or toprow != firsttop | makecontinuous toprow | reverse | filldown | reverse | eval locationId=mvindex('msg.logMessage.matched_locations{}.locationId',(steps - 1) - (maxrow - toprow)) | eval rank=mvindex('msg.logMessage.matched_locations{}.matchRank',(steps - 1) - (maxrow - toprow)) | fields - maxrow toprow firsttop steps | foreach * [ eval <<FIELD>>=if('<<FIELD>>'="0",null,'<<FIELD>>')] | table locationId,rank ############################################################# I am getting locationId,rank from last entry of every event in the list. Below is the sample splunk data ########################################################### cf_app_name: myApp cf_org_name: myOrg cf_space_name: mySpace job: diego_cell message_type: OUT msg: { application: myApp correlationid: 0.af277368.1669261134.5eb2322 httpmethod: GET level: INFO logMessage: { apiName: Matches apiStatus: Success clientId: oh_HSuoA6jKe0b75gjOIL32gtt1NsygFiutBdALv5b45fe4b error: NA matched_locations: [ { city: PHOENIX countryCode: USA locationId: bef26c03-dc5d-4f16-a3ff-957beea80482 matchRank: 1 merchantName: BIG D FLOORCOVERING SUPPLIES postalCode: 85009-1716 state: AZ streetAddress: 2802 W VIRGINIA AVE } { city: PHOENIX countryCode: USA locationId: ec9b385d-6283-46f4-8c9e-dbbe41e48fcc matchRank: 2 merchantName: BIG D FLOOR COVERING 4 postalCode: 85009 state: AZ streetAddress: 4110 W WASHINGTON ST STE 100 } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } ] numReturnedMatches: 10 } logger: c.m.c.d.MatchesApiDelegateImpl } origin: rep source_instance: 1 source_type: APP/PROC/WEB timestamp: 1669261139716063000 } ###########################################################
... View more
11-27-2022
11:06 PM
I have two saved searches
1) Metrics-Location-Client -- Gives LocationId, Client_Name as output
2) Matched-Locations -- Gives LocationId
I want to get count of locationIds by Client_Name which are present in Metrics-Location-Client but not in Matched-Locations.
Below is the one which I am trying but its not working it seems.
| savedsearch "Metrics-Location-Client"
| join Left=L Right=R where L.LocationId!=R.LocationId
[ savedsearch "Matched-Locations" ]
| stats count(L.LocationId) as MonitoringCalls by L.Client_Name
I have tried set diff as well, but not working
| set diff
[ savedsearch "Metrics-Location-Client" ]
[ savedsearch "Matched-Locations" ]
| stats count(LocationId) by Client_Name
Any help would be appreciated!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-24-2023
08:40 AM
|
Karma given to
