Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About super_edition
super_edition
Path Finder
Member since:
01-24-2023
06-24-2025
Community Statistics
| Posts | 45 |
| Solutions | 2 |
| Karma Given | 10 |
| Karma Received | 1 |
| Member Since | 01-24-2023 |
Activity Feed
- Posted Re: combining 2 searches - with dynamic urls into 1 on Splunk Search. 06-24-2025 02:33 AM
- Karma Re: combining 2 searches - with dynamic urls into 1 for PrewinThomas. 06-24-2025 02:32 AM
- Karma Re: combining 2 searches - with dynamic urls into 1 for gcusello. 06-24-2025 02:32 AM
- Posted combining 2 searches - with dynamic urls into 1 on Splunk Search. 06-24-2025 01:12 AM
- Posted Re: URL aggregation in splunk query on Splunk Search. 06-09-2025 09:32 PM
- Posted Re: URL aggregation in splunk query on Splunk Search. 06-05-2025 07:32 AM
- Posted URL aggregation in splunk query on Splunk Search. 06-04-2025 08:19 PM
- Tagged URL aggregation in splunk query on Splunk Search. 06-04-2025 08:19 PM
- Posted Re: browser name extraction from user agent on Security. 12-11-2024 09:01 PM
- Posted browser name extraction from user agent on Security. 12-11-2024 10:13 AM
- Posted Re: whats wrong with this query?? on Splunk Search. 11-13-2024 11:37 PM
- Karma Re: whats wrong with this query?? for gcusello. 11-13-2024 11:37 PM
- Posted Re: whats wrong with this query?? on Splunk Search. 11-06-2024 04:30 AM
- Posted Re: whats wrong with this query?? on Splunk Search. 11-06-2024 02:05 AM
- Posted Re: whats wrong with this query?? on Splunk Search. 11-06-2024 12:56 AM
- Posted whats wrong with this query?? on Splunk Search. 11-05-2024 11:25 PM
- Tagged whats wrong with this query?? on Splunk Search. 11-05-2024 11:25 PM
- Tagged whats wrong with this query?? on Splunk Search. 11-05-2024 11:25 PM
- Got Karma for Re: Unable to search with eval case output. 10-08-2024 05:08 AM
- Posted Re: Unable to search with eval case output on Security. 10-07-2024 11:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-24-2025
02:33 AM
Thanks @PrewinThomas - it worked as expected and was fast enough.
... View more
06-24-2025
01:12 AM
Hello Everyone, I have 2 splunk search queries query-1 index="my_index" kubernetes_namespace="my_ns" kubernetes_cluster!="bad_cluster" kubernetes_deployment_name="frontend_service" msg="RESPONSE" "/my_service/user-registration"
| dedup req_id
| stats count as hits avg(responseTime) as avgResponse perc90(responseTime) as nintyPerc by url method kubernetes_cluster
| eval avgResponse=round(avgResponse,2)
| eval nintyPerc=round(nintyPerc,2) output url method kubernetes_cluster hits avgResponse nintyPerc /my_service/user-registration POST LON 11254 112 535 query-2 index="my_index" kubernetes_namespace="my_ns" kubernetes_cluster!="bad_cluster" kubernetes_deployment_name="frontend_service" msg="RESPONSE" "/my_service/profile-retrieval"
| eval normalized_url="/my_service/profile-retrieval"
| stats count as hits avg(responseTime) as avgResponse perc90(responseTime) as nintyPerc by normalized_url method kubernetes_cluster
| eval avgResponse=round(avgResponse,2)
| eval nintyPerc=round(nintyPerc,2) output url method kubernetes_cluster hits avgResponse nintyPerc /my_service/profile-retrieval GET LON 55477 698 3423 The query-2 returns multiple urls like below but belongs to same endpoint: /my_service/profile-retrieval/324524352 /my_service/profile-retrieval/453453?displayOptions=ADDRESS%2CCONTACT&programCode=SKW /my_service/profile-retrieval/?displayOptions=PREFERENCES&programCode=SKW&ssfMembershipId=00408521260 Hence I used eval function to normalized them eval normalized_url="/my_service/profile-retrieval" How do I combine both queries to return as simplified output url method kubernetes_cluster hits avgResponse nintyPerc /my_service/user-registration POST LON 11254 112 535 /my_service/profile-retrieval GET LON 55477 698 3423 Highly appreciate your help!!
... View more
06-09-2025
09:32 PM
Thanks Everyone for your response. Highly Appreciate your input. I was able to construct the query something like this: index="my_index" uri="*/experience/*"
| eval common_uri = replace(uri, "^(/[^/]+){1,2}(/experience/.*)", "\2")
| stats count(common_uri) as hits by common_uri
| sort -hits
| head 20
... View more
06-05-2025
07:32 AM
what constitutes those as "common"? The onboard-menu url hits same service. Its only accessed from different "markets" which are: /ae/english , /uk/english , /us/english , /ae/arabic and /english like that we will have multiple markets starts /country_code/english or arabic/
... View more
06-04-2025
08:19 PM
Hello Everyone, Below is my splunk query: index="my_index" uri="*/experience/*"
| stats count as hits by uri
| sort -hits
| head 20 which returns me the output as below /ae/english/experience/dining/onboard-menu/ 1 /ae/english/experience/woyf/ 2 /uk/english/experience/dining/onboard-menu/ 1 /us/english/experience/dining/onboard-menu/ 1 /ae/arabic/experience/dining/onboard-menu/ 1 /english/experience/dining/onboard-menu/ 1 I need to aggregate the url count into common url. For example: /experience/dining/onboard-menu/ 5 /experience/woyf/ 2 Appreciate your help on this. Thanks in advance
... View more
- Tags:
- aggregation
Labels
- Labels:
-
stats
12-11-2024
09:01 PM
Thanks @PickleRick for your response. I am looking to get the count of browsers which are commonly used like chrome, firefox, safari, edge and opera
... View more
12-11-2024
10:13 AM
Hello Everyone, I am trying to extract the unique browser name along with its count from the list of user agents(attached file) which is printed in user_agent field of splunk logs. index=my_index "master" user-agent!="-" user-agent!="DIAGNOSTICS"
| eval browser=case(
searchmatch("*OPR*"),"Opera",
searchmatch("*Edg*"),"Edge",
searchmatch("*Chrome*Mobile*Safari*"),"Chrome",
searchmatch("*firefox*"),"Firefox",
searchmatch("*CriOS*safari"),"Safari")
| stats count as page_hit by browser I am sure the result count is incorrect as I am not covering all the combination of browser string from the attached list. Appreciate if someone can help me on this. Many Thanks
... View more
11-06-2024
04:30 AM
Hello @gcusello I have masked the field for the purpose of safety. I tried by passing values(paymentStatusResponse.orderCode) AS order_code its not working. With the below query (index= index_1 OR index= index_1) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler") "Did not observe any item or terminal signal within"
| eval clusters=coalesce(openshift_cluster, kubernetes_cluster)
| stats
values(clusters) as cluster
values(host) as hostname
count(host) as count
values(message.tracers.ek-correlation-id{}) as corr_id I am getting output as: cluster hostname count corr_id hhj yueyheh 3 1234234 343242 3423424 Now I want to add field paymentStatusResponse.orderCode, which comes from another logger "PaymentStatusClientImpl". The common entity between these 2 loggers is message.tracers.ek-correlation-id{}. So that my final output will be cluster hostname count corr_id order_code hhj yueyheh 3 1234234 343242 3423424 order_1010 order_2020 order_3030
... View more
11-06-2024
02:05 AM
Hello @gcusello If I run the main search as below: (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler" OR logger=PaymentStatusClientImpl") I am able to see "paymentStatusResponse.orderCode" values in interesting field.
... View more
11-06-2024
12:56 AM
Thanks @gcusello I have amended the changes query but the output of order_code column is still empty. order_code value "paymentStatusResponse.orderCode" comes from 1 of the 2 logger. logger name PaymentStatusClientImpl
... View more
11-05-2024
11:25 PM
Hello Everyone, I have below splunk query which will display the output as below (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler" OR logger=PaymentStatusClientImpl")
| search "* Did not observe any item or terminal signal within*"
| spath "paymentStatusResponse.orderCode"
| eval clusters=coalesce(openshift_cluster, kubernetes_cluster)
| stats values(clusters) as cluster, values(host) as hostname, count(host) as count, values(correlation-id{}) as corr_id, values(paymentStatusResponse.orderCode) as order_code From the above query, we have 2 loggers. In the PaymentErrorHandler logger, I get the message containing: "Did not observe any item or terminal signal within" In the EmsPaymentStatusClientImpl logger, I get the json response object containing "paymentStatusResponse.orderCode" value In both loggers, we have correlation-id{} as common element. I want to output a table containing cluster, hostname, count, corr_id and order_code but the order code is alway empty. Please help
... View more
Labels
- Labels:
-
stats
10-07-2024
11:58 AM
1 Karma
@richgalloway thanks. It worked.
... View more
10-07-2024
05:01 AM
Thanks. It worked
... View more
10-07-2024
03:28 AM
Hello Everyone, My below splunk query works fine in normal splunk search and it returns expected results: index="my_index"
| stats count by kubernetes_cluster | table kubernetes_cluster | sort kubernetes_cluster However when the same query when I have it in dashboard's dropdown it is not returning that data. Search on Change is unchecked. the dropdown looks like this: source view: <input type="dropdown" token="regions" searchWhenChanged="false">
<label>region</label>
<fieldForLabel>regions</fieldForLabel>
<fieldForValue>regions</fieldForValue>
<search>
<query>index="my_index"
| stats count by kubernetes_cluster | table kubernetes_cluster | sort kubernetes_cluster</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
... View more
10-06-2024
09:34 PM
Thanks @richgalloway for your response.
I tried with
| where hostname like hostname_pattern
also
| where hostname like hostname_pattern
its not returning any search results.
... View more
10-06-2024
04:29 AM
Hello Everyone, I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names: index_1 , index_2 , index_3 Based on the selected index, I am trying to run the splunk query: index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| search hostname= hostname_pattern the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results index="index_1"
| search hostname= "*-hostname_1" For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2) index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern returns *-hostname_1 Not sure how do we pass the hostname value based on selected index for search. Highly appreciate your help.
... View more
08-08-2024
04:51 AM
Hello Everyone, I have written the splunk query to remove last 2 character from the string: processingDuration = 102ms as 102 for the following log: {
"timestamp": "2029-02-29 07:32:54.734",
"level": "INFO",
"thread": "54dd544ff",
"logger": "my.logger",
"message": {
"logTimeStamp": "2029-02-29T07:32:54.734494726Z",
"logType": "RESP",
"statusCode": 200,
"processingDuration": "102ms",
"headers": {
"Content-Type": [
"application/json"
]
},
"tracers": {
"correlation-id": [
"hfkjhwkj98342"
],
"request-id": [
"53456345"
],
"service-trace-id": [
"34234623456"
]
}
},
"context": "hello-service"
} my splunk query: index=my_index
| spath logger | search logger="my.logger"
| spath "message.logType" | search "message.logType"=RESP
| spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342"
| eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2)
| table "message.tracers.correlation-id{}" myprocessTime the above query considers "message.processingDuration" as string itself and removes last 2 characters out of it. I tried without double quotes also, it returned empty: substr(message.processingDuration, 1, len(message.processingDuration)-2) Appreciate your help on this. Thanks in advance.
... View more
Labels
- Labels:
-
field extraction
08-02-2024
04:36 AM
Thanks once again @ITWhisperer It works as expected.
... View more
08-02-2024
12:01 AM
Thanks @ITWhisperer with your splunk query currently I am able to list below url pattern only /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179 /vehicle/orders/v1/*/processInsurance /vehicle/orders/v1/*/validateInsurance /vehicle/orders/v1/*/validate /vehicle/orders/v1/*/process I missed to include 1 more pattern. /vehicle/orders/v1 (new one) Please help. Thanks in advance
... View more
08-01-2024
05:03 AM
Hello Everyone, With the below query <my_search_index>
| spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR uri="/vehicle/orders/v1*/processInsurance"
| eval Operations=case(
searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance",
searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder",
searchmatch("/vehicle/orders/v1/*/process"),"processOrder",
searchmatch("/vehicle/orders/v1"),"createOrder")
| stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations
| eval average=round(average,2),response90=round(response90,2) I am able to construct the table: Apart from the 4 url patterns mentioned in query I need to include following url pattern for getOrder uri: /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179 from the raw splunk log { "request_timestamp ": "02/Jan/1984:09:05:04", "response_timestamp": "01/Jan/1984:09:05:04 +0000", "kong_request_id": "my_kong_req_id", "ek-correlation-id": "my_corr_id", "ek-request-id": "my_req_id", "ek-transaction-id": "", "req_id": "", "channel_name": "", "logType": "kong", "traceparent": "0traceparent", "request_method": "GET", "remote_addr": "1.2.3.4", "server_addr": "5.5.6.6", "scheme": "https", "host": "my.host.com", "status": 200, "request_method": "GET", "uri": "/vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179", "server_protocol": "HTTP/1.1", "bytes_sent": 23663, "body_bytes_sent": 23547, "request_length": 1367, "http_referer": "-", "http_user_agent": "-", "request_time": "0.010", "upstream_response_time": "0.008", "upstream_addr": "1.3.5.7", "http_content_type": "application/json", "upstream_host": "my.host.com" } Not sure how do I change my query to include the required url pattern. If I try this: /vehicle/orders/v1/* or /vehicle/orders/v1/*-*-*-*-* it might include the count of below patterns as well: /payment/orders/v1*/processInsurance /payment/orders/v1/*/validate /payment/orders/v1/*/process /payment/orders/v1 Appreciate your help.
... View more
Labels
- Labels:
-
table
02-25-2024
12:49 AM
Hello team Below are my splunk logs: { body_bytes_sent: 0 bytes_sent: 0 host: nice_host http_content_type: - http_referer: - http_user_agent: - kong_request_id: 8853b73ffef1c5522b4a383c286c825e log_type: kong query_string: - remote_addr: 10.138.100.153 request_id: 93258e0bc529fa9844e0fd2d69168d0f request_length: 1350 request_method: GET request_time: 0.162 scheme: https server_addr: 10.138.100.151 server_protocol: HTTP/1.1 status: 499 time_local: 25/Feb/2024:05:11:24 +0000 upstream_addr: 10.138.103.157:8080 upstream_host: nice_host upstream_response_time: 0.000 uri: /v1/d5a413b6-7d00-4874-b706-17b15b7a140b } { body_bytes_sent: 0 bytes_sent: 0 host: nice_host http_content_type: - http_referer: - http_user_agent: - kong_request_id: 89cea871feba9f2d5216856f7a884223 log_type: kong query_string: productType=ALL remote_addr: 10.138.100.214 request_id: 9dbf69defb49a3595cf1040e6ab5d4f2 request_length: 1366 request_method: GET request_time: 0.167 scheme: https server_addr: 10.138.100.151 server_protocol: HTTP/1.1 status: 499 time_local: 25/Feb/2024:05:11:24 +0000 upstream_addr: 10.138.98.140:8080 upstream_host: nice_host upstream_response_time: 0.000 uri: /v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267 } From the above, I want to extract the request_time and upstream_response_time from the log event for the uri "/v1/*" which has query_string is empty(-) I tried the below search query, but it returns result containing query_string as empty and with values(productType=ALL) index="my_indexx" | spath host | search host="nice_host" | eval Operations=case( searchmatch("GET query_string: - /v1/*"),"getCart") | stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations | eval avg_request_time=round(avg_request_time,2) | eval avg_upstreamTime=round(avg_upstreamTime,2) index="ek_cloud_k8sdta_digital_platforms_kong" | spath host | search host="shopping-carts-service-oxygen-dev.apps.stg01.digitalplatforms.aws.emirates.dev" | eval Operations=case( match(_raw, "/v1/[^/ ?]"),"getCart") | stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations | eval avg_request_time=round(avg_request_time,2) | eval avg_upstreamTime=round(avg_upstreamTime,2) Can someone help on this.
... View more
Labels
- Labels:
-
eval
-
field extraction
-
regex
07-06-2023
03:16 AM
Hello Everyone,
I am trying to create piechart for cache operation split(in percentage) for hit/miss/pass using the below query for the selected hostname:
index="my_index" openshift_container_name="container"
| eval description=case(handling == "hit","HIT", handling == "miss","MISS", handling == "pass","PASS")
| search hostname="int-ie-yyp.grp"
| addtotals
| eval cache_hit=round(100*HIT/Total,1)
| eval cache_miss=round(100*MISS/Total,1)
| eval cache_pass=round(100*PASS/Total,1)
When I try with:
| stats values(cache_hit) as cacheHit values(cache_miss) as cacheMiss values(cache_pass) as cachePass by description
no data is generated.
However when I try for count it works:
| stats count by description
Can someone please help.
... View more
05-30-2023
10:33 PM
this command helped: |fields _time successpercent failpercent
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-24-2025
12:25 AM
|
Karma given to
