Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About MOHITJOSHI
MOHITJOSHI
Engager
Member since:
11-18-2019
06-03-2024
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-18-2019 |
Activity Feed
- Posted How to create regex to capture a whole string? on Splunk Search. 05-09-2022 01:18 PM
- Posted How do I split a multi value single field into multi fields? on Splunk Search. 03-10-2022 03:03 PM
- Posted sort descending avg time field in results on Splunk Search. 04-07-2020 11:36 PM
- Tagged sort descending avg time field in results on Splunk Search. 04-07-2020 11:36 PM
- Posted strip certain data from field on Getting Data In. 04-01-2020 10:58 PM
- Tagged strip certain data from field on Getting Data In. 04-01-2020 10:58 PM
- Posted Re: How to compute the total time spent from splunk timestamp on Splunk Search. 03-12-2020 12:19 PM
- Posted How to compute the total time spent from splunk timestamp on Splunk Search. 03-11-2020 04:41 PM
- Tagged How to compute the total time spent from splunk timestamp on Splunk Search. 03-11-2020 04:41 PM
- Posted Re: Skipping time conversion on Getting Data In. 02-05-2020 02:32 PM
- Posted Re: Skipping time conversion on Getting Data In. 02-05-2020 01:57 PM
- Posted Skipping time conversion on Getting Data In. 02-05-2020 01:44 PM
- Tagged Skipping time conversion on Getting Data In. 02-05-2020 01:44 PM
- Tagged Skipping time conversion on Getting Data In. 02-05-2020 01:44 PM
- Posted How to transform multiple timestamps in an event on Getting Data In. 11-18-2019 10:44 AM
- Tagged How to transform multiple timestamps in an event on Getting Data In. 11-18-2019 10:44 AM
- Tagged How to transform multiple timestamps in an event on Getting Data In. 11-18-2019 10:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-09-2022
01:18 PM
I have a big event and I want to capture the string between "Message=" and "UpDocCaseRepository"
in other words i want to capture this specific string--
"Service encountered a database error." InnerMessage="Method Name: LOBCaseService.LoadCaseText, Error Message: Service encountered a database error., Exception: System.Net.Http.HttpRequestException: Cannot get client case document(s). Lob service call was not successful. reasonPhrase=Unauthorized\r\n at .eCAC.Service.CDR._1.Repository.
event-
2022-04-04 21:15:37,734 ERROR WCFServiceClient.Web.InfrastructureService sTime="4/5/2022 1:15:37 AM" LocalId="403654042" Method="LoadCase" Message="Service encountered a database error." InnerMessage="Method Name: LOBCaseService.LoadCaseText, Error Message: Service encountered a database error., Exception: System.Net.Http.HttpRequestException: Cannot get client case document(s). Lob service call was not successful. reasonPhrase=Unauthorized\r\n at .eCAC.Service.CDR._1.Repository.UpDocCaseRepository.<SendUpDocRequest>d__14`1.MoveNext() in s:\jenkins\workspace\_ecac_se---aeddb52c\.eCAC.Service.CDR\1.Repository\UpDocCaseRepository.cs:line 191\r\n--- End of stack trace from previous location where exception was thrown
... View more
Labels
- Labels:
-
field extraction
03-10-2022
03:03 PM
JSON field=value pairing
i have a log with single field name TestCategories and has multiple values in it like--x,y,z,....
how can i split it and create individual fields like TestCategories1: x and TestCategories2: y
TestCategories: x,y,z,
... View more
Labels
- Labels:
-
field extraction
04-07-2020
11:36 PM
i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked
eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Transaction_GroupName by v usenull=false. v is version of app
the results table has fields Transaction_GroupName, count:v, avg_time:v
... View more
- Tags:
- splunk-enterprise
04-01-2020
10:58 PM
my event has a field Transaction:=InpatUPMC_050_Close_WorklistLoad and i am looking to strip the InpatUPMC_050_ part
i tried the rex field=source mode=sed "s/Transaction:=InpatUPMC_050_Close_//g" but does not work.
... View more
- Tags:
- splunk-enterprise
03-12-2020
12:19 PM
Anmol,
thanks for feedback. While i cannot use makeresults because i have several hundreds such events which has different Transactions and its corresponding IIS calls and timestamp. i am exploring this option now.
to clear any confusion ..Note my event has a synthetic field named Transaction as well
index=myindex|multikv forceheader=1
| transaction Transaction maxevents=100 mvlist=time
| eval prev_time=strptime(mvindex(time, 0) , "%Y-%m-%d %H:%M:%S")
| eval last_time=strptime(mvindex(time, 1), "%Y-%m-%d %H:%M:%S")
| eval duration = round(last_time - prev_time,1)."seconds"
| table Transaction
using this search is grouping all my 10 events for Transaction abc into single transaction (which is good) however the Prev_time and last_time still not evaluated.
essentially the PREV time should be the earliest timestamp for the transaction and last time should be the most recent one.
to give you example of events.
10 events with Transaction abc. need to compute the time between the 1st and 10th event
10 events with Transaction def. need to compute the time between the 1st and 10th event
... View more
03-11-2020
04:41 PM
I have IIS events which looks like below. looking to compute the total time taken from the splunk timestamp..which in this case is 3 secs..from 07th to :10th seconds
how can i compute this from eval?
2020-03-11 22:29:10 /Logout Transaction:=InpatUPMC_090_Billing_WorklistLoad
2020-03-11 22:29:07 /Login Transaction:=InpatUPMC_090_Billing_WorklistLoad
... View more
- Tags:
- splunk-enterprise
02-05-2020
01:44 PM
I have events which has EST timestamp already and i don't want splunk to do any time conversion.
whats occurring right now is splunk is transforming this to EST again thinking its UTC time.
raw event time- 02/05/2020 02:08:49.074
splunk timestamp - 2/4/20 9:08:49.074 PM
i am looking to have no transformation applied and keep the raw event time as the timestamp
... View more
11-18-2019
10:44 AM
I have an event that prints the actual time which Splunk metadata has, but instead, I want to use the other timestamp.
Splunk time shows 8/15/18
2:12:44.000 PM which it extracts from the Verbose line but I am interested to use the ZZZ-20190802-13:18:06-0000000001-3820-0 so that my Splunk time is based on ZZZ field
VERBOSE abc 08/15/18 18:12:44 xyz
DETAILS abc123 0.594s abc: 0.336s :abc: 0.001s ZZZ-20190802-13:18:06-0000000001-3820-0
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-03-2024
09:00 PM
|
