About Sekhar

Sekhar

<input type= drop-down token =field1> <Lable > Env</Lable> < Choice value="_nontest " source="testing source"> TEST</choice> <Choice value=" source="prodsource" >Prod</choice> </Input> My query is like index=abc$field1$ | stats count which testing working fine when I select prod not getting any our and query also i below Index=abcsource="prodsource" | stats count How to give space between index and source while selecting prod .

Sekhar

Have drop down vaules like below Extual vaul Index =abc source = abc source Drop down values like prod lable Value source =abc source In query getting like error index=abc source=abc source i required logic for space between index and source

Sekhar

My SLA calculating like this 100-(count of duration<30/total count)*100

Sekhar

my query below (Index=x source=xtype valid) or (index=y source= ytype passed) | eval which=if(match(_raw, " valid"),"valid", "passed") | stats values( which) as msg by manid | stats count(eval(msg=" valid")) as total_ count count(eval(msg= "passed")) getting out like total count 54 respons count 58 But i want check this condition too Eval msgconur = mvcount(msg) | where >1 Need to check duration time > 30 count duration time <30 count

Sekhar

I have created my dashboard . I need to created pdf report of dashboard sent to my email daily 2pm ist.

Sekhar · ‎05-04-2023

<search ID=" start event"> <Query> index=x source= xtype application=xapps<\quer> I am using base query in plannel Panael Serach base=" start event" Query | status count working fine for panel We have multiple base query index ,source, application same so i need to create one root search for comman search.

Sekhar · ‎05-04-2023

We have created base serach query but I required to created root search base on that .

Sekhar · ‎04-20-2023

I tried below query index=x source type=xx "saved msg") OR (index=y source type=y " recived msg") | stats values(_time) as time values(actionid) as actionid values(batchid) as batchid by manid | eval duration = max(time) - min(time) | stats count count(eval(duration > 30)) as exceeded Getting result count saved msg and received msg both I required main I'd have multiple saved msg request but We required bothr saved msg and received msg by manid

Sekhar · ‎04-20-2023

index= non prod source=test.log "recived msg") OR (index =non-agent source=test1log "acknowledgement msg") | eval which=if(match(_raw, "received msg"), "received", "acknowledged") | stats vaules (_time) as start time as max(_time) as Endtime values(which) as msg by batch Id Getting below result Batchid msg Bid123. Received msg Bid23345. Received msg acknowledged I required the only which batchid having recived msg and acknowledged those count duration> 30 sec

Sekhar · ‎04-20-2023

Sample data format {\"studenrinformation\" : \"student577474\", }

Sekhar · ‎04-20-2023

Filed extracted like rex field = msg " student information\" : (?<studentname>.*?)," Student name getting like below "Stdent570" "55555sdeend" I want data with our double quotes

Sekhar · ‎04-20-2023

I have two event start event having extracted fields from log managerid ,branch I'd,empname using index = emp source = empsource " offer letters" End event having extracted field empid,branch id index= manager source= manager source " relieving letters" I want to get empid who's is taken offer letter and relieving later and duration.

Sekhar · ‎04-19-2023

My query index= nonjVs source = nonjavs | stats vaules(_time ) as start time values(_time) as endtime by empid Displayed below formate but I want to see my stat time and end time "%m-%d-%y %H:%M:@%S" Starttime 165575758474.67768 End time 16777894894.67788

Sekhar · ‎04-17-2023

When I excute the start event getting 40 statistics and end event result 43 statistics But when I used append and stats getting 75 statistics. My requirement is matching the mandid for both the events . Then I will calculate the duration from end event to start event . How can I validate by data or query getting correct results

Sekhar · ‎04-17-2023

Below two events Start event Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*" | Rex field= log " state=(?<state>.*" | Table _time bid,mandid,actionid,state End event Index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*" | Table _time manid actionid

Sekhar · ‎04-17-2023

Min(time)

Sekhar · ‎04-17-2023

Min(time)

Sekhar · ‎04-17-2023

start event | join [ end event] | stats min(_time) as start_time max(_time) as end_time values(actionid) as actionid values(batchid) as batchid by manid | eval duration = (end_time - start_time) | eval excessive = if(duration > 30, duration, null()) | stats count(excessive) as excess_count avg(excessive) as excess_avg by manid But sure about result getting correct or not

Sekhar · ‎04-17-2023

We have two events Start event Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*" | Rex field= log " state=(?<state>.*" | Table _time bid,mandid,actionid,state End event Index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*" | Table _time manid actionid Calculate different between start event and end event group by manid and count mandates exceeding different above 30sec

Sekhar · ‎04-16-2023

Above query i add table but not displayed any thing | Table start_time duration mandid

Posts	33
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎04-13-2023

Online Status	Offline
Date Last Visited	2 weeks ago

How to give space in dashboard query?

How to calculate SLA?

How to schedule daily 2pm my dashboard pdf report ...

How to create root search and base search in dashb...

How to remove double quotes from extracted field ...

Matching field from two different index and source

How get _time vaules same format?

How to extract matched data from different index a...

How to common fields from two different events and...

How to achieve list of manid breaching Authorizati...

Re: Give space in dashboard query

How to give space in dashboard query?

Re: SLA calculating

How to calculate SLA?

How to schedule daily 2pm my dashboard pdf report ...

Re: How to create root search and base serach in d...

How to create root search and base search in dashb...

Re: How to merge two different index and calculate...

Re: How to merge two different index and calculate...

Re: How to remove double quotes from extracted fi...

How to remove double quotes from extracted field ...

Matching field from two different index and source

How get _time vaules same format?

Re: How to extract matched data from different ind...

How to extract matched data from different index a...

Re: Calculate the SLA percentage from start event ...

Re: Calculate the SLA percentage from start event ...

Re: Extracted common fields from two different eve...

How to common fields from two different events and...

Re: List of manid breaching Authorization SLA