About edookati

edookati · ‎03-25-2018

I need help with framing a query which gives me the standard deviation of 5 values (for last business week) and compare the same with today's traffic for the same hour and trigger an alert if the difference is more than x% All i could get was the values for the same hour ever business day last week using simple chart command and I couldn't go past that. index=ABC sourcetype=DEF uri="/sample/event/test" earliest=-6d@w1 AND latest=-1d@w6 date_hour>5 date_hour<=18 | chart limit=100 span=1h dc(unique_id) over date_hour by date_mday Result date_hour 19 20 21 22 23 7 60366 61630 62768 62533 64369 I need data in this below format or at least the 3 values I am looking for StdDev(Last business week between 8 am - 9 am ET) Current_Hour's_Traffic DIfference_In_% 500 450 10 Thanks a lot.

edookati · ‎03-23-2017

Thanks a lot.

edookati · ‎03-21-2017

Thanks. It works. Can you please explain what eval(pause>10) does here? Does it count the instances of all pauses which are greater than 10 seconds. Also, how do I store the session ID and not repeat it, at least for a couple of days. Sorry, I am not familiar with streamstats. Thanks a lot.

edookati · ‎03-16-2017

I am trying to get the transaction results from a lookup file and I have _time field written into it for this to work. The duration condition seems to be working, but the query stops working the moment I add maxpause condition to it. Below is the query I am currently trying to fix. Please help me here. | inputlookup LOOKUP.csv | eval durationLimitInSeconds=durationLimitInMinutes*60 | eval now=now() | eval temp=(now-(2*60*60)-120) | where _time>temp | transaction maxpause=10s code | where eventcount>2 AND duration>durationLimitInSeconds | fields _time code duration durationLimitInSeconds eventcount Below is the sample data, if it helps. I want events with pause more than a few seconds (10s) to be considered as a different transaction, but the query I use treats all of them as single event and if I include maxpause, the query doesn't work at all. _time duration_measure code loglevel durationLimitInMinutes 2017-03-17 00:25:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:25:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:23:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:20:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-17 00:19:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:59:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:59:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:59:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:58:57 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:58:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:58:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:49:12 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10 2017-03-16 23:49:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10

edookati · ‎05-06-2015

great! it worked. Thanks a lot.

edookati · ‎05-06-2015

I am trying to get the number of requests/response that we send/receive to/from one application and the combined size of request & responses per hour. I am using the below query, but this doesn't seem to work. index=ABC sourcetype=abc ServiceName=A* OR ServiceName=B* OR ServiceName=C* | eval raw_len=len(_raw) | eventstats sum(raw_len), count by date_hour, Direction I need results in the below table format... date.hour NumberofRequests(direction=REQUEST) Number of Responses (direction=RESPONSE) Sum(bytes) Can someone please help me with this? Thanks.

edookati · ‎03-10-2015

Thanks a lot.

edookati · ‎03-09-2015

I am using the below query to get the status codes of different applications which have one common functionality...I need to add the % by index.. Can someone please help me? Thanks. index=* sourcetype=access* URL="/bankapi/accounts/*/transactions/*/checkimages*" | top StatusCode by index Below are the results... index StatusCode count percent bankapi_logs 200 616 98.402556 bankapi_logs 500 10 1.597444 olb_logs 200 5563 98.338342 olb_logs 500 52 0.919215 olb_logs 404 32 0.565671 olb_logs 503 10 0.176772 I need something like this... index StatusCode count percent bankapi_logs 200 616 98.402556 bankapi_logs 500 10 1.597444 BankAPI.Total 100 olb_logs 200 5563 98.338342 olb_logs 500 52 0.919215 olb_logs 404 32 0.565671 olb_logs 503 10 0.176772 OLB.Total 100

edookati · ‎12-29-2014

thanks. It worked fine.

edookati · ‎12-29-2014

I need to display the current hour and the current hour + 1 values in the chart and I am using the below eval function for the same... eval monthDateHour=date_month.".".date_mday." ".date_hour.":"."00"." - "."date_hour+1" But it doesn't work. Can someone please help me? Thanks.

edookati · ‎12-22-2014

Pretty close to my requirement and thanks a lot. This will do for now 🙂

edookati · ‎12-22-2014

I need to draw a simple graph of all the response times for a particular service in my application. I am using the below query for now, but i do not want average. I want all the response times on 'y' and _time on 'x' and the graph showing them. There are more than 1 call per second and avg doesn't actually represent the issue we are trying to resolve. Thanks a lot. index=jms_logs sourcetype=perflogs operation_name="RSA*" | timechart span=1s avg(response_time)

edookati · ‎12-11-2014

thanks. it worked

edookati · ‎12-11-2014

I am using the below query, but few events in the logs don't have service_name values. They only have operation_name. I need to include these events in the results with only the operation name. Please help me. index=jms_logs sourcetype=perflogs | eval service_operation = service_name.".".operation_name | table service_operation | dedup service_operation | sort service_operation thanks.

edookati · ‎12-02-2014

Also, i would like to set limits on 90p value for individual services (there are about 60-70) and alert if the 90p value goes above the set limit or if the count above 90p is higher than set limit. Can you please suggest how this can be achieved. Thanks a lot.

edookati · ‎12-02-2014

it worked. Thanks a lot.

edookati · ‎12-01-2014

I need the 90th percentile value in a series of values and the count of values that are greater than the 90th percentile... I am trying the below query with no luck. Please help me. index=jms_logs sourcetype=perflogs domain_server_port="proda_olb_osb*" service_name="ABC*" | eventstats perc95(response_time) as response_time_95p | stats count by service_name | where response_time>response_time_98p

edookati · ‎11-20-2014

thanks. It worked just great.

edookati · ‎11-20-2014

I need a table which gives me both perc95(response_time) and avg(response_time) by service_name I am using the below query, but is giving me some weird results... index=jms_logs sourcetype=perflogs | eventstats perc95(response_time) as response_time_95p, avg(response_time) as avgRespTime | stats by service_name can someone please help me? Thanks.

edookati · ‎11-14-2014

even this is not giving me accurate results. Thanks a lot, for the response.

edookati · ‎11-14-2014

Sorry, it is still giving me the same URLs in one transaction.

edookati · ‎11-14-2014

I am using the below query, but i need to omit the transactions unless the URLs are different in the transaction. index=olb_logs sourcetype="access-API" (URL="/bankapi/session" method=POST ) OR (URL="/bankapi/accounts" method=GET) | transaction sessionID maxspan=3s Thanks.

edookati · ‎11-14-2014

Thanks. this really helped. But, I am seeing same URLs in one transaction for most of the results and I want to display transaction results only if the URLs are different like the one below 2014-11-13 22:59:49 0.357 3152 2b76f0999150450e9b4a8c95e805ba41 - XXXXXX 00.00.00.00 00.00.00.00 00.00.00.00 00.00.00.00 GET /bankapi/ABCD 200 isExternal 2014-11-13 22:59:52 0.301 3152 2b76f0999150450e9b4a8c95e805ba41 - XXXXXX 00.00.00.00 00.00.00.00 00.00.00.00 00.00.00.00 GET /bankapi/EFGH 200 isExternal

edookati · ‎11-14-2014

in weblogic access log, i need to join 2 results and use transaction to display the calls within 3s timespan, but this doesn't work. Can you please help me? index=olb_logs sourcetype="access-API" URL="/bankapi/session" method=POST | join sessionID [Search URL="/bankapi/accounts" method=GET] | transaction sessionID maxspan=3s

edookati · ‎08-12-2014

fantastic. It worked. Thanks.

Posts	33
Solutions	0
Karma Given	11
Karma Received	9
Member Since	‎07-22-2014

Online Status	Offline
Date Last Visited	‎08-14-2020 12:49 AM

standard deviation by hour for last business week ...

Transaction Maxpause doesn't work

get size/bytes of log events and the number events...

How to addcoltotals the percentage of StatusCodes ...

how to increment a value in eval function

how to draw a simple graph of response times again...

return events with null values in an eval function

How to search the 90th percentile value in a serie...

How to write a search to get a table of eventstats...

How to write a search to omit transactions unless ...

standard deviation by hour for last business week ...

Re: Transaction Maxpause doesn't work

Re: Transaction Maxpause doesn't work

Transaction Maxpause doesn't work

Re: get size/bytes of log events and the number ev...

get size/bytes of log events and the number events...

Re: How to addcoltotals the percentage of StatusCo...

How to addcoltotals the percentage of StatusCodes ...

Re: how to increment a value in eval function

how to increment a value in eval function

Re: how to draw a simple graph of response times a...

how to draw a simple graph of response times again...

Re: return events with null values in an eval func...

return events with null values in an eval function

Re: How to search the 90th percentile value in a s...

Re: How to search the 90th percentile value in a s...

How to search the 90th percentile value in a serie...

Re: How to write a search to get a table of events...

How to write a search to get a table of eventstats...

Re: How to write a search to omit transactions unl...

Re: How to join 2 results and use transaction to d...

How to write a search to omit transactions unless ...

Re: How to join 2 results and use transaction to d...

How to join 2 results and use transaction to displ...

Re: format splunk table