Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Ciarán
Ciarán
Explorer
Member since:
04-03-2023
04-05-2023
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 04-03-2023 |
Activity Feed
- Karma Re: Using the map command to match events for ITWhisperer. 04-05-2023 04:59 AM
- Posted Re: Using the map command to match events on Splunk Search. 04-05-2023 04:00 AM
- Karma Re: Using the map command to match events for ITWhisperer. 04-05-2023 03:57 AM
- Posted Re: Using the map command to match events on Splunk Search. 04-05-2023 02:56 AM
- Posted Re: How to use the map command to match events? on Splunk Search. 04-05-2023 02:43 AM
- Posted Re: Using the map command to match events on Splunk Search. 04-05-2023 02:37 AM
- Posted Re: Using the map command to match events on Splunk Search. 04-05-2023 01:57 AM
- Posted Re: Using the map command to match events on Splunk Search. 04-05-2023 01:46 AM
- Karma Re: Using the map command to match events for richgalloway. 04-05-2023 01:46 AM
- Karma Re: Using the map command to match events for ITWhisperer. 04-05-2023 01:46 AM
- Posted Re: Using the map command to match events on Splunk Search. 04-05-2023 12:55 AM
- Posted How to use the map command to match events? on Splunk Search. 04-03-2023 06:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-05-2023
04:00 AM
Thanks for another helping hand! So apparently the amount of events was not the issue. If I'm not mistaken I saw the number 38.000 something somewhere in the job inspect. But the job inspection did tell me that it had trouble with the wild card in my main search. So I replaced that with a string match instead of a field match so I could circumvent the wild card and now it works! Thanks so much!
... View more
04-05-2023
02:56 AM
So the subsearch has 14 results. The first hit of the subsearch has 7 results on the main search. But when I run the composed search with the subsearch in it I get 0 results. What's going on?
... View more
04-05-2023
02:43 AM
Thanks for the suggestion, but I think you missed a part in my question. If I am reading this query correctly it only searches in the events which have Exit event 'ERROR' , but the information I need (the webservice name) is not included in these events. I need to find another event from the same session which occurred a little bit before the error event. That event does contain the name of the web service.
... View more
04-05-2023
02:37 AM
Thanks for thinking with me. Could you give a bit more explanation with your query examples? Unfortunately this did not solve the problem. I have a subsearch result which does not contain duplicates. (it sometimes does, but right now it does not) The composed query with subsearch says it has zero results, so the sort and dedup seem useless? But to clarify my wishes. I need the latest event because the other results are not relevant to this search but I have no way to match them with the search other than they occur within a certain time frame before the error event. Will this sort and dedup give me the latest? Or does dedup result in a random event?
... View more
04-05-2023
01:57 AM
Oh no! I was too quick to reply. So the loose queries work. Returning 7 events for any one session. But the subsearch version does not work. In the end I would like to not have 7 events per session but the info from 1 specific event (the latest one from the x events).
... View more
04-05-2023
01:46 AM
I did fix the syntax 🙂 Indeed it does not return any results and I have concluded that this might be because some application have not upgraded to the new logging standards so some expected logging is missing. Testing it on a different timeframe in which I am sure there is a updated logging did work! Thanks!
... View more
04-05-2023
12:55 AM
Thanks for your advice. Unfortunately I did not get any results with this query where I would expect 289 occurences of this in the time frame. I therefor edited your query following what is done in Example 2 of Use a subsearch - Splunk Documentation but I still get no results. The subsearch does return 289 results as expected. index=portal sourcetype=app:*** source='log' cls='c.b.m.s.SoapClient Webservicecall*' [
index=portal sourcetype=app:*** source="log" cls=c.b.m.s.SoapServiceClientService Exit event 'ERROR'
| rex "(?i) .*? \[(?P<ResponseCode>\d+)(?=\])"
| search ResponseCode=504
| table ses ]
... View more
04-03-2023
06:39 AM
Could someone have a look at the following query and see why it does not give me the results I expect based on the documentation of map?
index=portal sourcetype=app:*** source="log" cls=c.b.m.s.SoapServiceClientService Exit event 'ERROR'
| rex "(?i) .*? \[(?P<ResponseCode>\d+)(?=\])"
| search ResponseCode=504
| stats values(ses) as Session
| map search="search index=portal sourcetype=app:*** source='log' cls='c.b.m.s.SoapClient Webservicecall*' ses=$Session$ | stats first"
So the first search lists all the session ID's for which a certain error occurs. I want to match this to another event from those sessions which contains the name of the webservice for which the call failed. The second search finds multiple events in the same session, but with 'stats first' I take the latest, which for now is assumed to be the failing one. Instead of the events from the second search, I only get events for the first search as results. No table. So right now my result are events which I would also get when removing the whole map bit and the first stats. Nothing seems to have been added in regards to fields. The holy grail would allow me to include two more rex commands in the map search to extract two fields. When I add a rex command comparable to the one in the first search, the second search won't run.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-05-2023
04:15 AM
|
