Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About sieutruc
sieutruc
Contributor
Member since:
08-07-2012
06-05-2020
Community Statistics
| Posts | 119 |
| Solutions | 3 |
| Karma Given | 14 |
| Karma Received | 26 |
| Member Since | 08-07-2012 |
Activity Feed
- Got Karma for How to set automatically executable attribute of file in Splunk for Unix and Linux technology add-on. 09-17-2021 10:57 AM
- Karma Re: Configure Splunk instance with 2 IP addresses ? for bmacias84. 06-05-2020 12:46 AM
- Karma Re: How to monitor file like csv file for Ayn. 06-05-2020 12:46 AM
- Karma Re: How to use CHECK_METHOD in Univsersal Forwarder for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: How to create result table in result table (Advance XML) for sideview. 06-05-2020 12:46 AM
- Karma Re: Database table doesn't have rising column totally? for ziegfried. 06-05-2020 12:46 AM
- Karma Re: Change the login page and master page of Splunk for MuS. 06-05-2020 12:46 AM
- Karma Re: Question about perfmon search for MarioM. 06-05-2020 12:46 AM
- Karma Re: Problem: scripted inputs stop running in certain time ? for Drainy. 06-05-2020 12:46 AM
- Karma Re: the order of whitelist in servercalss ? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: ad-repl-stat.ps1 error ? for ahall_splunk. 06-05-2020 12:46 AM
- Karma Re: Cannot use earliest and latest for _time field newly converted from other field ? for sideview. 06-05-2020 12:46 AM
- Karma Re: How to show dynamically chart title ? for sideview. 06-05-2020 12:46 AM
- Karma Re: How to execute external script to manipulate file from search command for Gilberto_Castil. 06-05-2020 12:46 AM
- Karma Re: how to create a button that triggers script in Forwarder from indexer for bmacias84. 06-05-2020 12:46 AM
- Got Karma for Re: Scripted input question for batch file. 06-05-2020 12:46 AM
- Got Karma for Error when running CLI remotely. 06-05-2020 12:46 AM
- Got Karma for How to execute external script to manipulate file from search command. 06-05-2020 12:46 AM
- Got Karma for How to show dynamically chart title ?. 06-05-2020 12:46 AM
- Got Karma for How to replace integrated pdf server of Splunk 5 with the PDF Report Server app ?. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
09-26-2016
07:47 AM
Thanks for your reply, but transaction mid does not group them into 2 events as desired. The reason is each events after "transaction uid" has its own mid.
... View more
09-26-2016
07:45 AM
Each line is one event originally. The sample i show here is after using the transaction for UID.
... View more
09-26-2016
01:07 AM
@sundareshr : i cannot reply to your comment. The forum deleted aumatically my reply everytime. It seems a bug of the splunk web.
Can you take a look at my reply below ?
... View more
09-26-2016
01:06 AM
@sundareshr : i cannot reply to your comment. The forum deleted aumatically my reply everytime. It seems a bug of the splunk web.
Can you take a look at my reply below ?
... View more
09-22-2016
01:53 PM
sorry for my late reply. No, it did not give the right grouping.
If the table was like :
UID mid id
306825245 119526183 306825245
306825245 - 306825245
306825245 - 306825245
306825245 - 306825245
971637133 306825245 306825245
971637133 - 306825245
971637133 - 306825245
971637133 - 306825245
207825245 134526103 207825245
207825245 - 207825245
207825245 - 207825245
207825245 - 207825245
187478569 207825245 207825245
187478569 - 207825245
187478569 - 207825245
187478569 - 207825245
it would give the right answer. The mid=306825245 is a key to create first event, and mid=207825245 is for creating the second event.
... View more
09-22-2016
01:52 PM
sorry for my late reply. No, it did not give the right grouping.
If the table was like :
UID mid id
306825245 119526183 306825245
306825245 - 306825245
306825245 - 306825245
306825245 - 306825245
971637133 306825245 306825245
971637133 - 306825245
971637133 - 306825245
971637133 - 306825245
207825245 134526103 207825245
207825245 - 207825245
207825245 - 207825245
207825245 - 207825245
187478569 207825245 207825245
187478569 - 207825245
187478569 - 207825245
187478569 - 207825245
it would give the right answer. The mid=306825245 is a key to create first event, and mid=207825245 is for creating the second event.
... View more
09-22-2016
01:52 PM
sorry for my late reply. No, it did not give the right grouping.
If the table was like :
UID mid id
306825245 119526183 306825245
306825245 - 306825245
306825245 - 306825245
306825245 - 306825245
971637133 306825245 306825245
971637133 - 306825245
971637133 - 306825245
971637133 - 306825245
207825245 134526103 207825245
207825245 - 207825245
207825245 - 207825245
207825245 - 207825245
187478569 207825245 207825245
187478569 - 207825245
187478569 - 207825245
187478569 - 207825245
it would give the right answer. The mid=306825245 is a key to create first event, and mid=207825245 is for creating the second event.
... View more
09-22-2016
01:48 PM
Sorry for my reply, i came back home. No, it did not give the right grouping.
If the table was like :
UID mid id
306825245 119526183 306825245
306825245 - 306825245
306825245 - 306825245
306825245 - 306825245
971637133 306825245 306825245
971637133 - 306825245
971637133 - 306825245
971637133 - 306825245
207825245 134526103 207825245
207825245 - 207825245
207825245 - 207825245
207825245 - 207825245
187478569 207825245 207825245
187478569 - 207825245
187478569 - 207825245
187478569 - 207825245
it would give the right grouping (here 2 events) , the mid=306825245 is the key to group the 1st event, and mid=207825245 for the second event.
... View more
09-22-2016
10:45 AM
sorry for late reply, i just went back home. If i use the transaction with id , it does not give the right result.
For example, the following table would give the right result if i use the transaction with id (id gets the same value for one event)
UID mid id
306825245 119526183 306825245
306825245 - 306825245
306825245 - 306825245
306825245 - 306825245
971637133 306825245 306825245
971637133 - 306825245
971637133 - 306825245
971637133 - 306825245
306825245 is the key to connect them (2UIDs).
... View more
09-22-2016
08:52 AM
the table is :
UID mid id
306825245 119526183 119526183
306825245 - 306825245
306825245 - 306825245
306825245 - 306825245
971637133 306825245 306825245
971637133 - 971637133
971637133 - 971637133
971637133 - 971637133
207825245 134526103 134526103
207825245 - 207825245
207825245 - 207825245
207825245 - 207825245
187478569 207825245 207825245
187478569 - 187478569
187478569 - 187478569
187478569 - 187478569
You see the field "id" does not have 2 separate values.
... View more
09-22-2016
07:51 AM
Actually, the original events are line by line. I used the transaction to group them basing on the UID. But after that, i got this problem and do not how to solve.
I tried your commands with the original events. it does not change. The difficulty is how to group 2 transactions with 2 UID to only one transaction like described in my post.
... View more
09-22-2016
07:05 AM
i tested and it does not work. the result is always 4 events , they are not grouped into 2. What i would like to achieve is : event 1 + event 2 = 1 event (caues the mid of evt 2 = UID of event 1), similarly for event 3 and 4.
And the field id gets 4 different values for 4 events
... View more
09-22-2016
06:37 AM
i used
base search | rex "UID\s(?<uid>\d+)" | rex "Message\s(?<mid>\d+) accepted"
The 1st event : UID=306825245 , mid=119526183
The 2nd event: UID=971637133 , mid=306825245 # mid of 2nd = UID of 1st
The 3rd event: UID=207825245 , mid=134526103
The 4th event: UID=187478569 , mid=207825245 # mid of 4h = UID of 3st
So your solution : eval id=if(len(mid)<2, uid, mid) | sort id does not work , it does not group to 2 events from 4 events : (1+2), (3+4)
... View more
09-22-2016
06:01 AM
Thanks for your reply, but your solution does not work. The field "mid" exists in all events so the query "eval id=if(isnull(mid), uid, mid)" returns always mid => so i cannot group them.
... View more
09-22-2016
04:26 AM
Hello,
i have the following logs ( 4 events):
1)
Sep 21 15:36:11 test.infra : Info: Start UID 306825245 ICID 111270602
Sep 21 15:36:11 test.infra : Info: UID 306825245 ICID 111270602 receivedTest:
Sep 21 15:36:11 test.infra : Info: UID 306825245 ICID 111270602 RID 0 user:
Sep 21 15:36:13 Info: UID 306825245 RID [0] Response 'ok: Message 119526183 accepted'
2)
Sep 21 15:36:05 test.infra : Info: Start UID 971637133 ICID 319258725
Sep 21 15:36:05 test.infra : Info: UID 971637133 ICID 111270602 receivedTest:
Sep 21 15:36:05 test.infra : Info: UID 971637133 ICID 319258725 RID 0 user:
Sep 21 15:36:09 Info: UID 971637133 RID [0] Response 'ok: Message 306825245 accepted'
3)
Sep 21 15:34:11 test.infra : Info: Start UID 207825245 ICID 111270602
Sep 21 15:34:11 test.infra : Info: UID 207825245 ICID 111270602 receivedTest:
Sep 21 15:34:11 test.infra : Info: UID 207825245 ICID 111270602 RID 0 user:
Sep 21 15:34:13 Info: UID 207825245 RID [0] Response 'ok: Message 134526103 accepted'
4)
Sep 21 15:34:05 test.infra : Info: Start UID 187478569 ICID 319258725
Sep 21 15:34:05 test.infra : Info: UID 187478569 ICID 319258725 receivedTest:
Sep 21 15:34:05 test.infra : Info: UID 187478569 ICID 319258725 RID 0 user:
Sep 21 15:34:09 Info: UID 187478569 RID [0] Response 'ok: Message 207825245 accepted'
I wan to group them into 2 events. The event is grouped based on UID and the id from the last message ( Message 207825245 accepted'). For ex: in the second event, it has UID = 207825245 and accepted message id = 306825245. This will be grouped with the first event because the UID of the first event equals to the accepted message id of the second message.
So with that, the wesutl should be
:
1)
Sep 21 15:36:11 test.infra : Info: Start UID 306825245 ICID 111270602
Sep 21 15:36:11 test.infra : Info: UID 207825245 ICID 111270602 receivedTest:
Sep 21 15:36:11 test.infra : Info: UID 306825245 ICID 111270602 RID 0 user:
Sep 21 15:36:13 Info: UID 306825245 RID [0] Response 'ok: Message 119526183 accepted'
Sep 21 15:36:05 test.infra : Info: Start UID 971637133 ICID 319258725
Sep 21 15:36:05 test.infra : Info: UID 207825245 ICID 111270602 receivedTest:
Sep 21 15:36:05 test.infra : Info: UID 971637133 ICID 319258725 RID 0 user:
Sep 21 15:36:09 Info: UID 971637133 RID [0] Response 'ok: Message 306825245 accepted'
2)
Sep 21 15:34:11 test.infra : Info: Start UID 207825245 ICID 111270602
Sep 21 15:34:11 test.infra : Info: UID 207825245 ICID 111270602 receivedTest:
Sep 21 15:34:11 test.infra : Info: UID 207825245 ICID 111270602 RID 0 user:
Sep 21 15:34:13 Info: UID 207825245 RID [0] Response 'ok: Message 134526103 accepted'
Sep 21 15:34:05 test.infra : Info: Start UID 187478569 ICID 319258725
Sep 21 15:34:05 test.infra : Info: UID 187478569 ICID 319258725 receivedTest:
Sep 21 15:34:05 test.infra : Info: UID 187478569 ICID 319258725 RID 0 user:
Sep 21 15:34:09 Info: UID 187478569 RID [0] Response 'ok: Message 207825245 accepted'
Can someone helpe me resolve this case ? all suggestion will be appreciated.
... View more
- Tags:
- merge
- transactions
06-17-2016
07:29 AM
i got your point, but that's the reason i asked this question, i want to know if splunk supports more than the asterisk wild card in the base search. Thank you in anyway.
... View more
06-17-2016
07:27 AM
it does not actually respond to my question because if field 1 contains un regular expression that is not "*" wild card, you have to use regex command and ... splunk reads all events for the comparision. I think the temporary solution maybe use the hydrid solution like the answer of @somesoni2 above
... View more
06-17-2016
07:21 AM
Thank you for your information, now i know only * is supported. I hope splunk would support more wild card in the future version 🙂 , for ex: "?" or "|".
... View more
06-17-2016
03:52 AM
thank for your reply, only * is supported in base search ( cannot use ?, [0-9], or [a-z] ), is it right ?
I ask this type of question because i did not where the doc of splunk mentions all regular expressions that could be used in base search.
... View more
06-17-2016
03:48 AM
your answer is just right for some specific cases. if i search for "email="test.*hello@.*", the search with the tokens like "test hello @" will return nothing.
... View more
06-16-2016
07:50 AM
hello,
After reading some answers, I see that if I use regex for searching events corresponding to a pattern, it will take a lot of time as Splunk reads all events from disk.
For example: I use index=X email="test@*" , it will be so much faster than index=X | regex email="test@.*" .
So my question is beside the * , can I use another regex term in the default search without using regex that provides the same performance as original search.
For ex:
index=X email="test@[a-z]+.com" ?
index=X email="test@[0-9]*.com" ?
... View more
06-13-2016
06:59 AM
Thank you for the answer, i have updated my question, and with my current log, your query does not return 2 transactions. Can you take a quick look ?
... View more
06-13-2016
05:06 AM
one transaction is 917966106 and 917967047 , and other one is 817966106. 917967047 is rewritten from 917966106 but both are in the same transaction. So first transaction contain 4 events and other contains 7 events.
... View more
06-13-2016
04:20 AM
Hello,
I have the log like below :
Jun 13 10:18:59 Debug: IID 917966106 done
Jun 13 10:18:59 Debug: IID 917967047 action 2
Jun 13 10:18:59 Debug: IID 917967047 action 1
Jun 13 10:18:58 Debug: IID 917966106 rewritten to IID 917967047 by engine1
Jun 13 10:18:58 Debug: IID 917966106 action 2
Jun 13 10:18:58 Debug: IID 917966106 action 1
Jun 13 10:18:58 Debug: IID 917966106 start
Jun 13 10:18:56 Debug: IID 817966106 done
Jun 13 10:18:56 Debug: IID 817966106 action 2
Jun 13 10:18:56 Debug: IID 817966106 action 1
Jun 13 10:18:56 Debug: IID 817966106 start
I want to group into 2 transaction, normally i can use :
index=X | rex field=_raw "Debug: IID (?\d+)" | transaction IID startswith="start" endswith="done"
But the problem is for the second transaction, the field IID has 2 values ( 917966106 and 917967047 ) but they belong to the same transaction.
Can you know how to create a transaction in this case, one containing 4 events and other containing 7 events ?
i would appreciate any idea !
UPDATE after the good answer of @sundareshr : my log looks actually like
Jun 13 10:18:59 Debug: IID 917966106 done
Jun 13 10:18:56 Debug: RID 23789 stop
Jun 13 10:18:59 Debug: IID 917967047 action 2
Jun 13 10:18:59 Debug: IID 917967047 action 1
Jun 13 10:18:58 Debug: IID 917966106 rewritten to IID 917967047 by engine1
Jun 13 10:18:58 Debug: IID 917966106 action 2
Jun 13 10:18:58 Debug: IID 917966106 action 1
Jun 13 10:18:58 Debug: IID 917966106 start
Jun 13 10:18:58 Debug: RID 23789 IID 917966106 created
Jun 13 10:18:58 Debug: RID 23789 start details: start connection
Jun 13 10:18:56 Debug: IID 817966106 done
Jun 13 10:18:56 Debug: RID 12345 stop
Jun 13 10:18:56 Debug: IID 817966106 action 2
Jun 13 10:18:56 Debug: IID 817966106 action 1
Jun 13 10:18:56 Debug: RID 12345 IID 817966106 created
Jun 13 10:18:56 Debug: RID 12345 start details: start connection
when i tried
index=X | rex field=_raw "Debug: IID (?\d+)" | rex field=_raw "Debug: RID (?\d+)" |rex field=_raw "rewritten to IID (?\d+)" | eventstats first(newid) as newid) by IID | eval IID=if((isnull(newid), IID, newid) | transaction IID RID startswith="start" endswith="done"
It does not give the 2 transaction ( 6 events and 10 events)
Can you give me a help again pls ?
... View more
01-11-2013
05:18 AM
I see 3 buttons "Print","Schedule PDF delivery", Generate PDF" in my advanced XML, but i can only use "print" function, the other 2 buttons, when i clicked on, one said "PDF generation is not available in this view", other said "unable to render PDF" ???? i've already installed PDF report server on my Linux
... View more
