cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
super_edition
Path Finder
Member since: ‎01-24-2023
‎12-24-2024
Community Statistics
Posts 40
Solutions 0
Karma Given 8
Karma Received 1
Member Since ‎01-24-2023
Activity Feed
Topics I've Started
View All

Re: browser name extraction from user agent

by in Security
‎12-11-2024 09:01 PM
‎12-11-2024 09:01 PM
Thanks @PickleRick  for your response. I am looking to get the count of browsers which are commonly used like chrome, firefox, safari, edge and opera ... View more

browser name extraction from user agent

by in Security
‎12-11-2024 10:13 AM
‎12-11-2024 10:13 AM
Hello Everyone, I am trying to extract the unique browser name along with its count from the list of user agents(attached file) which is printed in user_agent field of splunk logs.   index=my_index "master" user-agent!="-" user-agent!="DIAGNOSTICS" | eval browser=case( searchmatch("*OPR*"),"Opera", searchmatch("*Edg*"),"Edge", searchmatch("*Chrome*Mobile*Safari*"),"Chrome", searchmatch("*firefox*"),"Firefox", searchmatch("*CriOS*safari"),"Safari") | stats count as page_hit by browser   I am sure the result count is incorrect as I am not covering all the combination of browser string from the attached list. Appreciate if someone can help me on this. Many Thanks ... View more

Re: whats wrong with this query??

by in Splunk Search
‎11-13-2024 11:37 PM
‎11-13-2024 11:37 PM
@gcusello  I was able to get the desired output with inner join ... View more

Re: whats wrong with this query??

by in Splunk Search
‎11-06-2024 04:30 AM
‎11-06-2024 04:30 AM
Hello @gcusello  I have masked the field for the purpose of safety. I tried by passing  values(paymentStatusResponse.orderCode) AS order_code its not working. With the below query (index= index_1 OR index= index_1) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler") "Did not observe any item or terminal signal within" | eval clusters=coalesce(openshift_cluster, kubernetes_cluster) | stats values(clusters) as cluster values(host) as hostname count(host) as count values(message.tracers.ek-correlation-id{}) as corr_id  I am getting output as: cluster hostname count corr_id hhj yueyheh 3 1234234 343242 3423424 Now I want to add field paymentStatusResponse.orderCode, which comes from another logger "PaymentStatusClientImpl". The common entity between these 2 loggers is message.tracers.ek-correlation-id{}. So that my final output will be  cluster hostname count corr_id order_code hhj yueyheh 3 1234234 343242 3423424 order_1010 order_2020 order_3030 ... View more

Re: whats wrong with this query??

by in Splunk Search
‎11-06-2024 02:05 AM
‎11-06-2024 02:05 AM
Hello @gcusello  If I run the main search as below: (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler" OR logger=PaymentStatusClientImpl") I am able to see "paymentStatusResponse.orderCode" values in interesting field.   ... View more

Re: whats wrong with this query??

by in Splunk Search
‎11-06-2024 12:56 AM
‎11-06-2024 12:56 AM
Thanks @gcusello  I have amended the changes query but the output of order_code column is still empty. order_code value  "paymentStatusResponse.orderCode" comes from 1 of the 2 logger. logger name PaymentStatusClientImpl   ... View more

whats wrong with this query??

by in Splunk Search
‎11-05-2024 11:25 PM
‎11-05-2024 11:25 PM
Hello Everyone, I have below splunk query which will display the output as below   (index= index_1 OR index= index_2) (kubernetes_namespace="kube_ns" OR openshift_namespace="ose_ns") (logger="PaymentErrorHandler" OR logger=PaymentStatusClientImpl") | search "* Did not observe any item or terminal signal within*" | spath "paymentStatusResponse.orderCode" | eval clusters=coalesce(openshift_cluster, kubernetes_cluster) | stats values(clusters) as cluster, values(host) as hostname, count(host) as count, values(correlation-id{}) as corr_id, values(paymentStatusResponse.orderCode) as order_code    From the above query, we have 2 loggers.  In the PaymentErrorHandler logger, I get the message containing: "Did not observe any item or terminal signal within" In the EmsPaymentStatusClientImpl logger, I get the json response object containing "paymentStatusResponse.orderCode" value In both loggers, we have correlation-id{} as common element. I want to output a table containing cluster, hostname, count, corr_id and order_code but the order code is alway empty. Please help   ... View more
Labels

Re: Unable to search with eval case output

by in Security
‎10-07-2024 11:58 AM
1 Karma
‎10-07-2024 11:58 AM
1 Karma
@richgalloway  thanks. It worked. ... View more

Re: Splunk works in search but not in dashboard dr...

by in Dashboards & Visualizations
‎10-07-2024 05:01 AM
‎10-07-2024 05:01 AM
Thanks. It worked ... View more

Splunk works in search but not in dashboard dropdo...

by in Dashboards & Visualizations
‎10-07-2024 03:28 AM
‎10-07-2024 03:28 AM
Hello Everyone, My below splunk query works fine in normal splunk search and it returns expected results:   index="my_index" | stats count by kubernetes_cluster | table kubernetes_cluster | sort kubernetes_cluster   However when the same query when I have it in dashboard's dropdown it is not returning that data. Search on Change is unchecked. the dropdown looks like this: source view: <input type="dropdown" token="regions" searchWhenChanged="false"> <label>region</label> <fieldForLabel>regions</fieldForLabel> <fieldForValue>regions</fieldForValue> <search> <query>index="my_index" | stats count by kubernetes_cluster | table kubernetes_cluster | sort kubernetes_cluster</query> <earliest>0</earliest> <latest></latest> </search> </input>     ... View more

Re: Unable to search with eval case output

by in Security
‎10-06-2024 09:34 PM
‎10-06-2024 09:34 PM
Thanks @richgalloway for your response. I tried with  | where hostname like hostname_pattern also | where hostname like hostname_pattern its not returning any search results. ... View more

Unable to search with eval case output

by in Security
‎10-06-2024 04:29 AM
‎10-06-2024 04:29 AM
Hello Everyone, I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names:  index_1 , index_2 , index_3 Based on the selected index,  I am trying to run the splunk query:   index="index_1" | eval hostname_pattern=case( index == "index_1","*-hostname_1", index == "index_2","*-hostname_2" ) | search hostname= hostname_pattern   the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results   index="index_1" | search hostname= "*-hostname_1"    For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2)   index="index_1" | eval hostname_pattern=case( index == "index_1","*-hostname_1", index == "index_2","*-hostname_2" ) | stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern   returns *-hostname_1 Not sure how do we pass the hostname value based on selected index for search. Highly appreciate your help. ... View more

splunk query with substring not working

by in Splunk Search
‎08-08-2024 04:51 AM
‎08-08-2024 04:51 AM
Hello Everyone, I have written the splunk query to remove last 2 character from the string: processingDuration = 102ms  as 102 for the following log:     { "timestamp": "2029-02-29 07:32:54.734", "level": "INFO", "thread": "54dd544ff", "logger": "my.logger", "message": { "logTimeStamp": "2029-02-29T07:32:54.734494726Z", "logType": "RESP", "statusCode": 200, "processingDuration": "102ms", "headers": { "Content-Type": [ "application/json" ] }, "tracers": { "correlation-id": [ "hfkjhwkj98342" ], "request-id": [ "53456345" ], "service-trace-id": [ "34234623456" ] } }, "context": "hello-service" }     my splunk query:     index=my_index | spath logger | search logger="my.logger" | spath "message.logType" | search "message.logType"=RESP | spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342" | eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2) | table "message.tracers.correlation-id{}" myprocessTime     the above query considers "message.processingDuration" as string itself and removes last 2 characters out of it. I tried without double quotes also, it returned empty:     substr(message.processingDuration, 1, len(message.processingDuration)-2)      Appreciate your help on this. Thanks in advance. ... View more
Labels

Re: splunk query to construct the table as needed

by in Dashboards & Visualizations
‎08-02-2024 04:36 AM
‎08-02-2024 04:36 AM
Thanks once again @ITWhisperer  It works as expected. ... View more

Re: splunk query to construct the table as needed

by in Dashboards & Visualizations
‎08-02-2024 12:01 AM
‎08-02-2024 12:01 AM
Thanks @ITWhisperer  with your splunk query currently I am able to list below url pattern only /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179 /vehicle/orders/v1/*/processInsurance /vehicle/orders/v1/*/validateInsurance /vehicle/orders/v1/*/validate /vehicle/orders/v1/*/process I missed to include 1 more pattern. /vehicle/orders/v1   (new one) Please help. Thanks in advance       ... View more

splunk query to construct the table as needed

by in Dashboards & Visualizations
‎08-01-2024 05:03 AM
‎08-01-2024 05:03 AM
Hello Everyone, With the below query       <my_search_index> | spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR uri="/vehicle/orders/v1*/processInsurance" | eval Operations=case( searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance", searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder", searchmatch("/vehicle/orders/v1/*/process"),"processOrder", searchmatch("/vehicle/orders/v1"),"createOrder") | stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)        I am able to construct the table: Apart from the 4 url patterns mentioned in query I need to include following url pattern for getOrder uri: /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179 from the raw splunk log { "request_timestamp ": "02/Jan/1984:09:05:04", "response_timestamp": "01/Jan/1984:09:05:04 +0000", "kong_request_id": "my_kong_req_id", "ek-correlation-id": "my_corr_id", "ek-request-id": "my_req_id", "ek-transaction-id": "", "req_id": "", "channel_name": "", "logType": "kong", "traceparent": "0traceparent", "request_method": "GET", "remote_addr": "1.2.3.4", "server_addr": "5.5.6.6", "scheme": "https", "host": "my.host.com", "status": 200, "request_method": "GET", "uri": "/vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179", "server_protocol": "HTTP/1.1", "bytes_sent": 23663, "body_bytes_sent": 23547, "request_length": 1367, "http_referer": "-", "http_user_agent": "-", "request_time": "0.010", "upstream_response_time": "0.008", "upstream_addr": "1.3.5.7", "http_content_type": "application/json", "upstream_host": "my.host.com" } Not sure how do I change my query to include the required url pattern. If I try this: /vehicle/orders/v1/*   or /vehicle/orders/v1/*-*-*-*-* it might include the count of below patterns as well: /payment/orders/v1*/processInsurance /payment/orders/v1/*/validate /payment/orders/v1/*/process /payment/orders/v1 Appreciate your help. ... View more
Labels

Splunk query to retrieve logs containing empty que...

by in Splunk Search
‎02-25-2024 12:49 AM
‎02-25-2024 12:49 AM
Hello team Below are my splunk logs: { body_bytes_sent: 0 bytes_sent: 0 host: nice_host http_content_type: - http_referer: - http_user_agent: - kong_request_id: 8853b73ffef1c5522b4a383c286c825e log_type: kong query_string: - remote_addr: 10.138.100.153 request_id: 93258e0bc529fa9844e0fd2d69168d0f request_length: 1350 request_method: GET request_time: 0.162 scheme: https server_addr: 10.138.100.151 server_protocol: HTTP/1.1 status: 499 time_local: 25/Feb/2024:05:11:24 +0000 upstream_addr: 10.138.103.157:8080 upstream_host: nice_host upstream_response_time: 0.000 uri: /v1/d5a413b6-7d00-4874-b706-17b15b7a140b }   { body_bytes_sent: 0 bytes_sent: 0 host: nice_host http_content_type: - http_referer: - http_user_agent: - kong_request_id: 89cea871feba9f2d5216856f7a884223 log_type: kong query_string: productType=ALL remote_addr: 10.138.100.214 request_id: 9dbf69defb49a3595cf1040e6ab5d4f2 request_length: 1366 request_method: GET request_time: 0.167 scheme: https server_addr: 10.138.100.151 server_protocol: HTTP/1.1 status: 499 time_local: 25/Feb/2024:05:11:24 +0000 upstream_addr: 10.138.98.140:8080 upstream_host: nice_host upstream_response_time: 0.000 uri: /v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267 } From the above, I want to extract the request_time and upstream_response_time from the log event for the uri "/v1/*" which has query_string is empty(-) I tried the below search query, but it returns result containing query_string as empty and with values(productType=ALL) index="my_indexx" | spath host | search host="nice_host" | eval Operations=case( searchmatch("GET query_string: - /v1/*"),"getCart") | stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations | eval avg_request_time=round(avg_request_time,2) | eval avg_upstreamTime=round(avg_upstreamTime,2) index="ek_cloud_k8sdta_digital_platforms_kong" | spath host | search host="shopping-carts-service-oxygen-dev.apps.stg01.digitalplatforms.aws.emirates.dev" | eval Operations=case( match(_raw, "/v1/[^/ ?]"),"getCart") | stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations | eval avg_request_time=round(avg_request_time,2) | eval avg_upstreamTime=round(avg_upstreamTime,2) Can someone help on this. ... View more
Labels

Re: Piechart split for selected hostname

by in Splunk Search
‎07-06-2023 04:32 AM
‎07-06-2023 04:32 AM
Its working as expected. Thank you @ITWhisperer  ... View more

Piechart split for selected hostname?

by in Splunk Search
‎07-06-2023 03:16 AM
‎07-06-2023 03:16 AM
Hello Everyone, I am trying to create piechart for cache operation split(in percentage) for hit/miss/pass using the below query for the selected hostname:   index="my_index" openshift_container_name="container" | eval description=case(handling == "hit","HIT", handling == "miss","MISS", handling == "pass","PASS") | search hostname="int-ie-yyp.grp" | addtotals | eval cache_hit=round(100*HIT/Total,1) | eval cache_miss=round(100*MISS/Total,1) | eval cache_pass=round(100*PASS/Total,1)   When I try with:   | stats values(cache_hit) as cacheHit values(cache_miss) as cacheMiss values(cache_pass) as cachePass by description    no data is generated. However when I try for count it works:   | stats count by description   Can someone please help.   ... View more
Labels

Re: Splunk search to build a table for PASS and FA...

by in Splunk Search
‎05-30-2023 10:33 PM
‎05-30-2023 10:33 PM
this command helped: |fields _time successpercent failpercent     ... View more

Re: Splunk search to build a table for PASS and FA...

by in Splunk Search
‎05-30-2023 10:29 PM
‎05-30-2023 10:29 PM
Hello @ITWhisperer  I am getting the below data as the result: index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=2* OR "message.statusCode"=4*) | eval status=if('message.statusCode'>300,"fail","success") | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" | timechart span=1h dc("message.tracers.correlation-id{}") as count by status pct | addtotals | eval successpercent=round(100*success/Total,1) | eval failpercent=round(100*fail/Total,1) But I am looking for only successpercent and failpercent to be displayed in the table. ... View more

How to build a Splunk search to build a table for ...

by in Splunk Search
‎05-30-2023 05:57 AM
‎05-30-2023 05:57 AM
Hello Everyone, This is the extension of previous query which I posted- https://community.splunk.com/t5/Splunk-Search/How-would-I-write-a-Splunk-search-to-build-a-table-for-PASS-and/m-p/644830#M223292 Thanks to @ITWhisperer  and updated query worked well. Now I am trying to add percentage column for PASS and FAIL, instead of the count: _time success fail 2023-05-28 03:00 98 2 2023-05-28 04:00 60 40 2023-05-28 05:00 100 0   I was trying to build a query, something like this:     index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=2* OR "message.statusCode"=4*) | eval status=if('message.statusCode'>300,"fail","success") | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" ```| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by status``` | eventstats count("message.tracers.ek-correlation-id{}") as totalCount | eventstats count("message.tracers.ek-correlation-id{}") as individualCount by status | eval percent=(individualCount/totalCount)*100     I know the above query is incomplete and not sure if this the right way to proceed. ... View more
Labels

How would I write a Splunk search to build a table...

by in Splunk Search
‎05-27-2023 08:48 PM
‎05-27-2023 08:48 PM
Hello Everyone, I have below query with which I am trying to build a table showing data for SUCCESS  for sum of statusCode starts with 20* and FAIL for sum of statusCode starts with 4*.  However with the below query,     index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=20* OR "message.statusCode"=4*) | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" | timechart span=1h dc("message.tracers.id{}") as count by message.statusCode      I am getting the table as below: _time 200 201 400 403 2023-05-28 03:00 400 10 10 11 2023-05-28 04:00 301 99 19 0 2023-05-28 05:00 100 45 11 9   I am expecting table as something like this: _time success fail 2023-05-28 03:00 410 21 2023-05-28 04:00 400 19 2023-05-28 05:00 145 20   Not sure how to change this. ... View more
Labels

Re: Returning count column in the existing search?

by in Splunk Search
‎05-23-2023 12:16 AM
‎05-23-2023 12:16 AM
@ITWhisperer  there was an issue in my search parameter of my SPL which I fixed. it is now returning count as expected. Apart from that no change in the stats part of the query | stats count as hits avg(processDuration) as average perc90(processDuration) as response90 by Operations Thank you once again   ... View more

How to return count column in the existing search?

by in Splunk Search
‎05-16-2023 05:27 AM
‎05-16-2023 05:27 AM
Hello,  I have below search query     index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns ("POST /online-shopping/debt_cart/v1 HTTP" OR "GET /online-shopping/debt_cart/v1/* HTTP" OR "GET *online-shopping*debt_cart*productType* HTTP") | eval Operations=case( searchmatch("POST /online-shopping/debt_cart/v1 HTTP"),"create_cart", searchmatch("GET /online-shopping/debt_cart/v1/*/summary HTTP"),"cart_summary", searchmatch("GET *online-shopping*debt_cart*productType* HTTP"),"cart_productType", match(_raw, "GET /online-shopping/debt_cart/v1/[^/ ?]+\sHTTP"),"getDebtCart") | stats avg(processDuration) as average perc90(processDuration) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)     which displays the data as below: Operations average response90 create_cart 250 380 cart_summary 240 330 cart_productType 210 321 getDebtCart 260 365   Now I want to add the count of url pattern against each operation as below. I tried adding the count as part of stats. It is not working.  Not sure how do I proceed. Operations count average response90 create_cart 1919 250 380 cart_summary 2001 240 330 cart_productType 1971 210 321 getDebtCart 8162 260 365 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-24-2024 04:04 AM
Karma from
View All
Karma given to