cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
super_edition
Path Finder
Member since: ‎01-24-2023
‎02-29-2024
Community Statistics
Posts 24
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎01-24-2023
Activity Feed
Topics I've Started
View All

Splunk query to retrieve logs containing empty que...

by in Splunk Search
‎02-25-2024 12:49 AM
‎02-25-2024 12:49 AM
Hello team Below are my splunk logs: { body_bytes_sent: 0 bytes_sent: 0 host: nice_host http_content_type: - http_referer: - http_user_agent: - kong_request_id: 8853b73ffef1c5522b4a383c286c825e log_type: kong query_string: - remote_addr: 10.138.100.153 request_id: 93258e0bc529fa9844e0fd2d69168d0f request_length: 1350 request_method: GET request_time: 0.162 scheme: https server_addr: 10.138.100.151 server_protocol: HTTP/1.1 status: 499 time_local: 25/Feb/2024:05:11:24 +0000 upstream_addr: 10.138.103.157:8080 upstream_host: nice_host upstream_response_time: 0.000 uri: /v1/d5a413b6-7d00-4874-b706-17b15b7a140b }   { body_bytes_sent: 0 bytes_sent: 0 host: nice_host http_content_type: - http_referer: - http_user_agent: - kong_request_id: 89cea871feba9f2d5216856f7a884223 log_type: kong query_string: productType=ALL remote_addr: 10.138.100.214 request_id: 9dbf69defb49a3595cf1040e6ab5d4f2 request_length: 1366 request_method: GET request_time: 0.167 scheme: https server_addr: 10.138.100.151 server_protocol: HTTP/1.1 status: 499 time_local: 25/Feb/2024:05:11:24 +0000 upstream_addr: 10.138.98.140:8080 upstream_host: nice_host upstream_response_time: 0.000 uri: /v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267 } From the above, I want to extract the request_time and upstream_response_time from the log event for the uri "/v1/*" which has query_string is empty(-) I tried the below search query, but it returns result containing query_string as empty and with values(productType=ALL) index="my_indexx" | spath host | search host="nice_host" | eval Operations=case( searchmatch("GET query_string: - /v1/*"),"getCart") | stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations | eval avg_request_time=round(avg_request_time,2) | eval avg_upstreamTime=round(avg_upstreamTime,2) index="ek_cloud_k8sdta_digital_platforms_kong" | spath host | search host="shopping-carts-service-oxygen-dev.apps.stg01.digitalplatforms.aws.emirates.dev" | eval Operations=case( match(_raw, "/v1/[^/ ?]"),"getCart") | stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations | eval avg_request_time=round(avg_request_time,2) | eval avg_upstreamTime=round(avg_upstreamTime,2) Can someone help on this. ... View more
Labels

Re: Piechart split for selected hostname

by in Splunk Search
‎07-06-2023 04:32 AM
‎07-06-2023 04:32 AM
Its working as expected. Thank you @ITWhisperer  ... View more

Piechart split for selected hostname?

by in Splunk Search
‎07-06-2023 03:16 AM
‎07-06-2023 03:16 AM
Hello Everyone, I am trying to create piechart for cache operation split(in percentage) for hit/miss/pass using the below query for the selected hostname:   index="my_index" openshift_container_name="container" | eval description=case(handling == "hit","HIT", handling == "miss","MISS", handling == "pass","PASS") | search hostname="int-ie-yyp.grp" | addtotals | eval cache_hit=round(100*HIT/Total,1) | eval cache_miss=round(100*MISS/Total,1) | eval cache_pass=round(100*PASS/Total,1)   When I try with:   | stats values(cache_hit) as cacheHit values(cache_miss) as cacheMiss values(cache_pass) as cachePass by description    no data is generated. However when I try for count it works:   | stats count by description   Can someone please help.   ... View more
Labels

Re: Splunk search to build a table for PASS and FA...

by in Splunk Search
‎05-30-2023 10:33 PM
‎05-30-2023 10:33 PM
this command helped: |fields _time successpercent failpercent     ... View more

Re: Splunk search to build a table for PASS and FA...

by in Splunk Search
‎05-30-2023 10:29 PM
‎05-30-2023 10:29 PM
Hello @ITWhisperer  I am getting the below data as the result: index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=2* OR "message.statusCode"=4*) | eval status=if('message.statusCode'>300,"fail","success") | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" | timechart span=1h dc("message.tracers.correlation-id{}") as count by status pct | addtotals | eval successpercent=round(100*success/Total,1) | eval failpercent=round(100*fail/Total,1) But I am looking for only successpercent and failpercent to be displayed in the table. ... View more

How to build a Splunk search to build a table for ...

by in Splunk Search
‎05-30-2023 05:57 AM
‎05-30-2023 05:57 AM
Hello Everyone, This is the extension of previous query which I posted- https://community.splunk.com/t5/Splunk-Search/How-would-I-write-a-Splunk-search-to-build-a-table-for-PASS-and/m-p/644830#M223292 Thanks to @ITWhisperer  and updated query worked well. Now I am trying to add percentage column for PASS and FAIL, instead of the count: _time success fail 2023-05-28 03:00 98 2 2023-05-28 04:00 60 40 2023-05-28 05:00 100 0   I was trying to build a query, something like this:     index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=2* OR "message.statusCode"=4*) | eval status=if('message.statusCode'>300,"fail","success") | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" ```| timechart span=1h dc("message.tracers.ek-correlation-id{}") as count by status``` | eventstats count("message.tracers.ek-correlation-id{}") as totalCount | eventstats count("message.tracers.ek-correlation-id{}") as individualCount by status | eval percent=(individualCount/totalCount)*100     I know the above query is incomplete and not sure if this the right way to proceed. ... View more
Labels

How would I write a Splunk search to build a table...

by in Splunk Search
‎05-27-2023 08:48 PM
‎05-27-2023 08:48 PM
Hello Everyone, I have below query with which I am trying to build a table showing data for SUCCESS  for sum of statusCode starts with 20* and FAIL for sum of statusCode starts with 4*.  However with the below query,     index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=20* OR "message.statusCode"=4*) | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" | timechart span=1h dc("message.tracers.id{}") as count by message.statusCode      I am getting the table as below: _time 200 201 400 403 2023-05-28 03:00 400 10 10 11 2023-05-28 04:00 301 99 19 0 2023-05-28 05:00 100 45 11 9   I am expecting table as something like this: _time success fail 2023-05-28 03:00 410 21 2023-05-28 04:00 400 19 2023-05-28 05:00 145 20   Not sure how to change this. ... View more
Labels

Re: Returning count column in the existing search?

by in Splunk Search
‎05-23-2023 12:16 AM
‎05-23-2023 12:16 AM
@ITWhisperer  there was an issue in my search parameter of my SPL which I fixed. it is now returning count as expected. Apart from that no change in the stats part of the query | stats count as hits avg(processDuration) as average perc90(processDuration) as response90 by Operations Thank you once again   ... View more

How to return count column in the existing search?

by in Splunk Search
‎05-16-2023 05:27 AM
‎05-16-2023 05:27 AM
Hello,  I have below search query     index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns ("POST /online-shopping/debt_cart/v1 HTTP" OR "GET /online-shopping/debt_cart/v1/* HTTP" OR "GET *online-shopping*debt_cart*productType* HTTP") | eval Operations=case( searchmatch("POST /online-shopping/debt_cart/v1 HTTP"),"create_cart", searchmatch("GET /online-shopping/debt_cart/v1/*/summary HTTP"),"cart_summary", searchmatch("GET *online-shopping*debt_cart*productType* HTTP"),"cart_productType", match(_raw, "GET /online-shopping/debt_cart/v1/[^/ ?]+\sHTTP"),"getDebtCart") | stats avg(processDuration) as average perc90(processDuration) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)     which displays the data as below: Operations average response90 create_cart 250 380 cart_summary 240 330 cart_productType 210 321 getDebtCart 260 365   Now I want to add the count of url pattern against each operation as below. I tried adding the count as part of stats. It is not working.  Not sure how do I proceed. Operations count average response90 create_cart 1919 250 380 cart_summary 2001 240 330 cart_productType 1971 210 321 getDebtCart 8162 260 365 ... View more
Labels

How to pass the label name in the title of the lin...

by in Dashboards & Visualizations
‎05-03-2023 10:04 PM
‎05-03-2023 10:04 PM
Hello  I have dropdown element in my dashboard with 3 options as mentioned below.   { "options": { "items": [ { "label": "Both", "value": "*" }, { "label": "dublin", "value": "*DDUUBBLLIN*" }, { "label": "singapore", "value": "SSIINNGG" } ], "defaultValue": "*", "token": "datacenter" }, "title": "data-center", "type": "input.dropdown" }   I want to pass the label name in the title of the line graph: If I use token-name with dollar sign like this: $datacenter$ it displays selected label's value: transaction per hour at DDUUBBLLIN datacenter - when the user selects Dublin However I want to display the label name: transaction per hour at Dublin datacenter - when the user selects Dublin transaction per hour at Singapore datacenter - when the user selects Singapore transaction per hour at both datacenter - when the user selects Both ... View more
Labels

Help with Splunk rex and using it in searchmatch?

by in Splunk Search
‎04-23-2023 12:45 PM
‎04-23-2023 12:45 PM
Hello eveyrone, Firstly Big Thanks to @ITWhisperer for helping me in recent weeks 😊 I have created a splunk query which will display the data as below.  Operations average response90 create_cart 250 380 cart_summary 240 330 cart_productType 210 321 getCart 260 365       index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container | search ("POST /shopping/carts/v1 HTTP" OR "GET /shopping/carts/v1/*/summary HTTP" OR "GET *shopping*carts*productType* HTTP") | eval Operations=case( searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart", searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary", searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType") | stats avg(processDuration) as average perc90(processDuration) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)     I want to include 1 more search pattern as below:     "message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d HTTP/1.1\" 200 1855 8080 10 ms"}     Hence I changed the splunk query something like below to display the above formatted tabular information     index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container | rex "\"(?<url>GET /shopping/carts/v1/[^/ ?]+\sHTTP)" | search ("POST /shopping/carts/v1 HTTP" OR "GET /shopping/carts/v1/*/summary HTTP" OR "GET *shopping*carts*productType* HTTP") OR url | eval Operations=case( searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart", searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary", searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType", searchmatch(url),"getCart") | stats avg(processDuration) as average perc90(processDuration) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)     I am encountering the error stating : Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid.   ... View more
Labels

Re: eval searchmatch with question-mark ?

by in Splunk Search
‎04-18-2023 10:32 PM
‎04-18-2023 10:32 PM
Thanks @yeahnah  it worked.  \= ... View more

How to handle eval searchmatch with question-mark?

by in Splunk Search
‎04-18-2023 06:58 PM
‎04-18-2023 06:58 PM
Hello  Using the below query, I am trying to build a response     index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container | search ("POST /myvalue/mytoken/v1?s1=SSO HTTP" OR "POST /myvalue/mytoken/v1?s1=LOYALTY HTTP") | eval Operations=case(searchmatch("POST /myvalue/mytoken/v1?s1=SSO HTTP"),"type_SSO",searchmatch("POST /myvalue/mytoken/v1?s1=LOYALTY HTTP"),"type_LOYALTY") | stats avg(processDuration) as average perc90(processDuration) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)     Operations average response90 type_LOYALTY 212 888 type_SSO 300 442   The above search does not return any table data. I am sure its due to the question-mark character present in in searchmatch and is not being handled as it should be. Because if I 1) do a plain search, I get the events returned      | search ("POST /myvalue/mytoken/v1?s1=SSO HTTP" OR "POST /myvalue/mytoken/v1?s1=LOYALTY HTTP")     2) remove by Operations from the query, it returns me the average and response90 value table data Can someone help me how to handle this. ... View more
Labels

Re: How to extract particular pattern text from i...

by in Splunk Search
‎04-15-2023 04:33 AM
‎04-15-2023 04:33 AM
@ITWhisperer  - Thanks.  It is now returning the expected pattern alone. ... View more

Re: How to extract particular pattern text from i...

by in Splunk Search
‎04-14-2023 08:58 PM
‎04-14-2023 08:58 PM
@ITWhisperer  the runanywhere example works as expected. Guess I have more pattern which I missed to include and that is returning as well. Hence I updated the runanywhere example as below:   | makeresults | fields - _time | eval _raw="\"message\":{\"input\":\"192.168.62.10 - - [06/Apr/2023:05:45:51 +0000] \\\"GET /shopping/carts/v1/e5aa581b-ac7a-40f5-a8da-8ab5cb51039c/summary HTTP/1.1\\\" 200 636 8080 13 ms\"} \"message\":{\"input\":\"192.168.54.47 - - [06/Apr/2023:04:08:13 +0000] \\\"GET /shopping/carts/v1/734b2f55-c304-49a5-baa9-8e9994495b55 HTTP/1.1\\\" 200 1855 8080 10 ms\"} \"message\":{\"input\":\"192.168.54.47 - - [06/Apr/2023:04:08:13 +0000] \\\"GET /shopping/carts/v1/734b2f55-c304-49a5-baa9-8e9994495b55/product HTTP/1.1\\\" 200 1855 8080 10 ms\"} \"message\":{\"input\":\"192.168.54.47 - - [06/Apr/2023:04:08:13 +0000] \\\"GET /location-context/stations/v1/CJS?module=ONLINE_BOOKING&requestedPoint=DESTINATION HTTP/1.1\\\" 200 1855 8080 10 ms\"} \"message\": {\"input\": \"192.168.62.10 - - [15/Apr/2023:03:32:22 +0000] \\\"GET /shopping/carts/v1/152c1299-e598-40d3-8934-29f6662bbb98?productType=ALL HTTP/1.1\\\" 200 1828 8080 13 ms\"}" | multikv noheader=t | fields _raw ``` the lines above just set up the example events ``` | rex "\"(?<url>GET /shopping/carts/v1/[^/ ]+\sHTTP)"   Output:   ... View more

Re: Extracting particular pattern text from its v...

by in Splunk Search
‎04-14-2023 03:00 AM
‎04-14-2023 03:00 AM
@ITWhisperer  unfortunately it is still returning all patterns: index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=contaner | rex "\"(?<url>GET /shopping/carts/v1/[^/ ]+\sHTTP)" ... View more

How to extract particular pattern text from its v...

by in Splunk Search
‎04-14-2023 02:17 AM
‎04-14-2023 02:17 AM
Hello Everyone, Below is the set of the log response pattern: "message":{"input":"999.111.000.999 - - [06/Apr/2023:05:45:51 +0000] \"GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d/summary HTTP/1.1\" 200 636 8080 13 ms"} "message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d HTTP/1.1\" 200 1855 8080 10 ms"} "message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/73737373-j3j3-8djd-jdjd-kejdjehi3nej/product HTTP/1.1\" 200 1855 8080 10 ms"} "message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /location-context/stations/v1/CJS?module=ONLINE_BOOKING&requestedPoint=DESTINATION HTTP/1.1\" 200 1855 8080 10 ms"} From the above, I am interested to extract only the orange highlighted string eg:  GET /shopping/carts/v1/<ending with any id alone> HTTP I tried with below splunk query as intermediate step to extract the urls: index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=contaner | rex field=message.input "(?<servicename>(?:[^\"]|\"\")*HTTP)" | dedup servicename | stats count by servicename servicename is pre-extracted variable But this query returns the all pattern. GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d/summary HTTP GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d HTTP (I need only this) GET /shopping/carts/v1/73737373-j3j3-8djd-jdjd-kejdjehi3nej/product HTTP GET /location-context/stations/v1/CJS?module=ONLINE_BOOKING&requestedPoint=DESTINATION HTTP Please help ... View more
Labels

Re: How can I multiple search and table data?

by in Splunk Search
‎04-06-2023 02:52 AM
‎04-06-2023 02:52 AM
Thanks @ITWhisperer  the query worked as expected. However I have 1 more pattern of search text to include. From the below: "message":{"input":"192.168.62.10 - - [06/Apr/2023:05:45:51 +0000] \"GET /shopping/carts/v1/e5aa581b-ac7a-40f5-a8da-8ab5cb51039c/summary HTTP/1.1\" 200 636 8080 13 ms"} "message":{"input":"192.168.54.47 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/734b2f55-c304-49a5-baa9-8e9994495b55 HTTP/1.1\" 200 1855 8080 10 ms"} "message":{"input":"192.168.54.47 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/734b2f55-c304-49a5-baa9-8e9994495b55/product HTTP/1.1\" 200 1855 8080 10 ms"} "message":{"input":"192.168.54.47 - - [06/Apr/2023:04:08:13 +0000] \"GET /location-context/stations/v1/CJS?module=ONLINE_BOOKING&requestedPoint=DESTINATION HTTP/1.1\" 200 1855 8080 10 ms"} From the above, I am interested to extract only the orange highlighted string eg:  GET /shopping/carts/v1/<ending with any id alone> HTTP   I tried with below splunk query as intermediate step to extract the urls: index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=contaner | rex field=message.input "(?<servicename>(?:[^\"]|\"\")*HTTP)" | dedup servicename | stats count by servicename But this returns the all pattern. GET /shopping/carts/v1/e5aa581b-ac7a-40f5-a8da-8ab5cb51039c/summary HTTP GET /shopping/carts/v1/734b2f55-c304-49a5-baa9-8e9994495b55 HTTP (I need only this) GET /shopping/carts/v1/734b2f55-c304-49a5-baa9-8e9994495b55/product HTTP GET /location-context/stations/v1/CJS?module=ONLINE_BOOKING&requestedPoint=DESTINATION HTTP ... View more

How can I multiple search and table data?

by in Splunk Search
‎04-04-2023 12:34 AM
‎04-04-2023 12:34 AM
Hello, I have a below splunk query which gives me response time value extracted from its response. index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=contaner | search "POST /payment/orders/v1 HTTP" sample response message: "message": { "input": "192.168.56.10 - - [03/Apr/2023:08:26:18 +0000] \"GET /payment/orders/v1/1b8ee28e-a42b-4ef0-9063-6f36302aeac2-ntt HTTP/1.1\" 200 9907 8080 13 ms" } To the above query, If I add the pre-extracted variables - processDuration, serviceURL - I get the average/response90 values which I want | stats avg(processDuration) as average perc90(processDuration) as response90 by serviceURL | eval average=round(average,2),response90=round(response90,2) Now, I have 4 different search text: CreateOrder: search "POST /payment/orders/v1 HTTP" getOrder: search "GET /payment/orders/*-* HTTP" processOrder: search "POST /payment/orders/*/process HTTP" validate: search "POST /payment/orders/*/validate HTTP" I want to build a query using these 4 types of search and get the response time details as below: Operations average response90 CreateOrder 250 380 getOrder 240 330 processOrder 210 321 validate 260 365     ... View more
Labels

Re: How to plot two sets of data in line chart whe...

by in Splunk Search
‎02-02-2023 02:13 AM
‎02-02-2023 02:13 AM
Hello @scelikok  thanks actually the query shared by you works. I overlooked the last bit of the search hence the confusion. ... View more

Re: plotting 2 set of data in line chart when BOTH...

by in Splunk Search
‎02-01-2023 09:19 PM
‎02-01-2023 09:19 PM
Hello @scelikok  When the given search is executed only 1 line is plotted in line chart using the data which is the sum of dublin and singapore. Not separately. - When the BOTH (whose value is *) is selected from dashboard's dropdown ... View more

How to plot two sets of data in line chart when BO...

by in Splunk Search
‎02-01-2023 01:36 AM
‎02-01-2023 01:36 AM
Hello Everyone, I have dashboard with token value as datacenter, which has 3 options from dropdown: Dublin ="*dbl_dc_01*" Singapore= "*sing_dc_01*" Both = "*"  (this is incorrect for my requirement.. i  know) Currently I am plotting the line chart graph based on the search when $datacenter$ Dublin is selected using the below search query: (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" $datacenter$ Singapore is selected: (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits" When Both selected - I need that 2 lines to be plotted on that same chart: From the independent search query, i am able to achieve this using 2 searches with append (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*dbl_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Dublin_Hits" | append [ search (index=my_index) openshift_namespace=my-ns sourcetype=openshift_logs openshift_cluster="*sing_dc_01*" | search "message.logType"=CLIENT_REQ | search "message.url"="$servicename$" | stats dc("message.tracers.ek-correlation-id{}") by _time | timechart span=1h count as "Singapore_Hits"] How do we get this plotted in the same dashboard when BOTH is selected from drop down   Note: $servicename$ value is generated dynamically based on data centre location ... View more
Labels

How to display another item in the dashbaord which...

by in Dashboards & Visualizations
‎01-24-2023 09:04 PM
‎01-24-2023 09:04 PM
I have following splunk query (index=index_1 OR index=index_2) sourcetype=openshift_logs openshift_namespace="my_ns" openshift_cluster="*" | spath "message.url" | search "message.url"="/dummy/url/v1*" | search "message.tracers.ke-channel{}"="*" |search "message.jsonObject.payments{}.products{}.type"=GROCERY | dedup message.tracers.ke-correlation-id{} | search "message.statusCode"<400 |rename "message.jsonObject.payments{}.orderStatus.status" AS "ORDER_STATUS"| top limit=50 "ORDER_STATUS" which gives the below output ORDER_STATUS count percent ----------------------------------- PAYMENT_ACCEPTED 500 70 PAYMENT_PENDING 100 20 PAYMENT_UNDER_REVIEW 90 2 PAYMENT_REDIRECTION 40 1.32 PAYMENT_NOT_ATTEMPTED10 3.11 I want to display another item in the dashbaord which should be the sum of the count of following order status: PAYMENT_ACCEPTED+PAYMENT_PENDING+PAYMENT_UNDER_REVIEW+PAYMENT_REDIRECTION i.e 500 + 100+90+40=730 Below is my query: (index=index_1 OR index=federated:index_2) sourcetype=openshift_logs openshift_namespace="my_ns" openshift_cluster="*" | spath "message.url" | search "message.url"="/dummy/url/v1*" | search "message.tracers.ke-channel{}"="*" |search "message.jsonObject.payments{}.products{}.type"=GROCERY | search "message.statusCode"<400 | dedup message.jsonObject.id |search ("message.jsonObject.payments{}.orderStatus.status"="PAYMENT_ACCEPTED" OR "message.jsonObject.payments{}.orderStatus.status"="PAYMENT_PENDING" OR "message.jsonObject.payments{}.orderStatus.status"="PAYMENT_UNDER_REVIEW" OR "message.jsonObject.payments{}.orderStatus.status"="PAYMENT_REDIRECTION") | stats count(message.jsonObject.id) But the sum of the count using the above query is always more than the actual total count. Appreciate if someone can let me know where am i going wrong. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-29-2024 05:50 AM
Karma given to
View All