cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
MOHITJOSHI
Engager
Member since: ‎11-18-2019
‎05-17-2022
Community Statistics
Posts 10
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-18-2019
Activity Feed
Topics I've Started
View All

How to create regex to capture a whole string?

by in Splunk Search
‎05-09-2022 01:18 PM
‎05-09-2022 01:18 PM
I have a big event and I want to capture the string between "Message=" and "UpDocCaseRepository" in other words i want to capture this specific string-- "Service encountered a database error." InnerMessage="Method Name: LOBCaseService.LoadCaseText, Error Message: Service encountered a database error., Exception: System.Net.Http.HttpRequestException: Cannot get client case document(s). Lob service call was not successful. reasonPhrase=Unauthorized\r\n at .eCAC.Service.CDR._1.Repository. event- 2022-04-04 21:15:37,734 ERROR WCFServiceClient.Web.InfrastructureService sTime="4/5/2022 1:15:37 AM" LocalId="403654042" Method="LoadCase" Message="Service encountered a database error." InnerMessage="Method Name: LOBCaseService.LoadCaseText, Error Message: Service encountered a database error., Exception: System.Net.Http.HttpRequestException: Cannot get client case document(s). Lob service call was not successful. reasonPhrase=Unauthorized\r\n at .eCAC.Service.CDR._1.Repository.UpDocCaseRepository.<SendUpDocRequest>d__14`1.MoveNext() in s:\jenkins\workspace\_ecac_se---aeddb52c\.eCAC.Service.CDR\1.Repository\UpDocCaseRepository.cs:line 191\r\n--- End of stack trace from previous location where exception was thrown ... View more
Labels

How do I split a multi value single field into mul...

by in Splunk Search
‎03-10-2022 03:03 PM
‎03-10-2022 03:03 PM
JSON field=value pairing i have a log with single field name TestCategories and has multiple values in it like--x,y,z,.... how can i split it and create individual fields like TestCategories1: x and TestCategories2: y TestCategories: x,y,z, ... View more
Labels

sort descending avg time field in results

by in Splunk Search
‎04-07-2020 11:36 PM
‎04-07-2020 11:36 PM
i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Transaction_GroupName by v usenull=false. v is version of app the results table has fields Transaction_GroupName, count:v, avg_time:v ... View more

strip certain data from field

by in Getting Data In
‎04-01-2020 10:58 PM
‎04-01-2020 10:58 PM
my event has a field Transaction:=InpatUPMC_050_Close_WorklistLoad and i am looking to strip the InpatUPMC_050_ part i tried the rex field=source mode=sed "s/Transaction:=InpatUPMC_050_Close_//g" but does not work. ... View more

Re: How to compute the total time spent from splun...

by in Splunk Search
‎03-12-2020 12:19 PM
‎03-12-2020 12:19 PM
Anmol, thanks for feedback. While i cannot use makeresults because i have several hundreds such events which has different Transactions and its corresponding IIS calls and timestamp. i am exploring this option now. to clear any confusion ..Note my event has a synthetic field named Transaction as well index=myindex|multikv forceheader=1 | transaction Transaction maxevents=100 mvlist=time | eval prev_time=strptime(mvindex(time, 0) , "%Y-%m-%d %H:%M:%S") | eval last_time=strptime(mvindex(time, 1), "%Y-%m-%d %H:%M:%S") | eval duration = round(last_time - prev_time,1)."seconds" | table Transaction using this search is grouping all my 10 events for Transaction abc into single transaction (which is good) however the Prev_time and last_time still not evaluated. essentially the PREV time should be the earliest timestamp for the transaction and last time should be the most recent one. to give you example of events. 10 events with Transaction abc. need to compute the time between the 1st and 10th event 10 events with Transaction def. need to compute the time between the 1st and 10th event ... View more

How to compute the total time spent from splunk ti...

by in Splunk Search
‎03-11-2020 04:41 PM
‎03-11-2020 04:41 PM
I have IIS events which looks like below. looking to compute the total time taken from the splunk timestamp..which in this case is 3 secs..from 07th to :10th seconds how can i compute this from eval? 2020-03-11 22:29:10 /Logout Transaction:=InpatUPMC_090_Billing_WorklistLoad 2020-03-11 22:29:07 /Login Transaction:=InpatUPMC_090_Billing_WorklistLoad ... View more

Re: Skipping time conversion

by in Getting Data In
‎02-05-2020 02:32 PM
‎02-05-2020 02:32 PM
ah..i figured out...it needed a restart of splunk. ... View more

Re: Skipping time conversion

by in Getting Data In
‎02-05-2020 01:57 PM
‎02-05-2020 01:57 PM
Tried that already but still the same. [mysourcetype] TZ = EST ... View more

Skipping time conversion

by in Getting Data In
‎02-05-2020 01:44 PM
‎02-05-2020 01:44 PM
I have events which has EST timestamp already and i don't want splunk to do any time conversion. whats occurring right now is splunk is transforming this to EST again thinking its UTC time. raw event time- 02/05/2020 02:08:49.074 splunk timestamp - 2/4/20 9:08:49.074 PM i am looking to have no transformation applied and keep the raw event time as the timestamp ... View more

How to transform multiple timestamps in an event

by in Getting Data In
‎11-18-2019 10:44 AM
‎11-18-2019 10:44 AM
I have an event that prints the actual time which Splunk metadata has, but instead, I want to use the other timestamp. Splunk time shows 8/15/18 2:12:44.000 PM which it extracts from the Verbose line but I am interested to use the ZZZ-20190802-13:18:06-0000000001-3820-0 so that my Splunk time is based on ZZZ field VERBOSE abc 08/15/18 18:12:44 xyz DETAILS abc123 0.594s abc: 0.336s :abc: 0.001s ZZZ-20190802-13:18:06-0000000001-3820-0 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-17-2022 12:52 AM