Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- About gouravdashtcs
gouravdashtcs
Loves-to-Learn
Member since:
04-01-2017
12-21-2023
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 04-01-2017 |
Activity Feed
- Posted Re: How to find the duration between two EventCode for Windows Log. on Splunk Search. 06-14-2019 09:27 AM
- Posted Re: Creating a Chart that shows count of Reported ticket and Resolved ticket by week on Splunk Search. 05-09-2019 03:51 AM
- Posted Re: run script on remote machine on Splunk Search. 05-09-2019 12:51 AM
- Posted Re: Creating a Chart that shows count of Reported ticket and Resolved ticket by week on Splunk Search. 05-09-2019 12:33 AM
- Posted Re: How to find the duration between two EventCode for Windows Log. on Splunk Search. 05-08-2019 04:04 AM
- Posted Re: extract part of path that may or may not contain space on Splunk Search. 05-07-2019 04:13 AM
- Posted How to find the duration between two EventCode for Windows Log. on Splunk Search. 05-07-2019 03:46 AM
- Tagged How to find the duration between two EventCode for Windows Log. on Splunk Search. 05-07-2019 03:46 AM
- Tagged How to find the duration between two EventCode for Windows Log. on Splunk Search. 05-07-2019 03:46 AM
- Posted Re: COALESCE command on Splunk Search. 02-13-2019 07:26 AM
- Posted Re: Why does the stats function remove my fields and what Splunk solutions can I use for the following order: 1st do lastest(_time) -> then do sum(on the result of latest) on Splunk Search. 01-23-2019 05:03 AM
- Posted Re: in timechart, how do you display average by field, but also show a total average on Splunk Search. 04-01-2017 11:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
06-14-2019
09:27 AM
Hello @adonio
Kindly tell me some other ways to reach the conslusion.... The above example works fine but giving me few duplicates due to which the downtime duration is coming as different...
... View more
05-09-2019
03:51 AM
Hello Synastraa,
Apologies for the type which I have done in my query.
index=*
|dedup Incident_Number
|table Last_Resolved_Date Incident_Number
|eval week_no=strftime(Last_Resolved_Date, "%W")
|stats earliest(Last_Resolved_Date) as first_week_date, latest(Last_Resolved_Date) as last_week_date by week_no
|convert timeformat="%d-%m-%Y" ctime(first_week_date) ctime(last_week_date)
|eval Week = first_week_date. " To " .last_week_date
|stats count(Incident_Number) as INC_Count by Week
This might fetch you results.
Also for the heads up, the format of the Last_Resolved_Date which you getting is known as Epoch date which is also known as unix timeformat. It is always recommended to use unix time for any operations if we want to do any operations with Time in Splunk.
... View more
05-09-2019
12:51 AM
Hello Arun,
I assume the local machine which you are referring to is having Splunk Enterprise installed in it and the remote machine which you are referring to is having Splunk Universal forwarder installed in it. And the connection of Splunk UF is properly made to local machine in which Splunk ES is installed.
In this case you can keep the script in $SPLUNK_HOME/ets/apps/,app_name/bin/
Then go to Settings --> Data Inputs --> Scripts (Add New), then follow the steps which will be prompted/asked to you.
In this way you will be able to fetch the data using scripted input from any machine in which UF is installed.
Hope this helps. Please let me know for any further clarifications.
... View more
05-09-2019
12:33 AM
Hello Synastraa,
Kindly find the code which I have prepared for you for Last_Resolved_Date for INC's.
host=abc
|table Last_Resolved_Date, INC
|eval week_no=strftime(Last_Resolved_Date, "%W")
|stats earliest(Last_Resolved_Date) as first_week_date, latest(Last_Resolved_Date) as last_week_date by week_no
|convert timeformat="%d-%m-%Y" ctime(first_week_date) ctime(last_week_date)
|eval Week = first_time. " To " .last_time
|stats count(INC) as INC_Count by Week
The same thing you can do for Reported_Date as well.
Hope this helps.
... View more
05-08-2019
04:04 AM
Perfect... Works for me.
It would also be great if you could let me know about the other options to achieve the result. It surely will enhance my knowledge.
... View more
05-07-2019
04:13 AM
Hello Sarit,
Kindly find the modified rex query for your reference.
rex field = source \/splunk\/\w+\/\w+\/\w+\/\w+\s+\w+\/(?\w+)
... View more
05-07-2019
03:46 AM
Hello Everyone,
I want to calculate the downtime for a particular server based on the difference between two EventCode which are Windows Event Logs.
Description of EventCode Below:
EventCode 1074: This EventCode is generated when the user tries to shutdown the server remotely.
EventCode 6013: This EventCode is generated when the server starts after successful reboot. Also this EventCode is generated on a daily basis at 12 AM which calculates the Server uptime in seconds.
Below is the sample sequence in which the log is pushed to splunk.
Scenario 1:
Sl No. Time EventCode
1 5/7/19 0:00 6013
2 5/7/19 10:05 6013
3 5/7/19 10:00 1074
4 5/7/19 0:00 6013
5 5/6/19 0:00 6013
6 5/5/19 0:00 6013
In the above case the user tried to reboot the server remotely which generated 1074 EventCode and after 5mins the server rebooted properly and EventCode 6013 generated. So using the transaction command we can find the duration of the downtime easily in this case.
Scenario 2:
Sl No. Time EventCode
1 5/7/19 0:00 6013
2 5/7/19 10:05 6013
3 5/7/19 10:00 1074
4 5/7/19 9:00 1074
5 5/7/19 0:00 6013
6 5/6/19 0:00 6013
7 5/5/19 0:00 6013
In this case user tried to reboot the server remotely at 9AM, but it didn't happen properly so user again tried to reboot the server at 10 AM. So in this case EventCode 1074 occured 2 times.
When I'm using the transaction commant in this case. It is grouping Sl No 4 and Sl No 2 AND it is also grouping Sl No 3 and Sl No 1, which should not be the case.
My requirement is it should take the first occurrence of EventCode 1074 and after that first occurrence of EventCode 6013 to calculate the proper downtime.. In the above case it should be Sl No 4 and Sl No 2.
Please fine the query I'm using for your reference:
index =abc sourcetype="WinEventLog:System"
|transaction host startswith="1074" endswith="6013"
|eval DurationMin = round(duration/60,2)
|stats list(_time) as Date list(DurationMin) as Dur_Min by host, DurationMin
|stats sum(DurationMin) as Total_Downtime_Duration_Min list(Date) as Downtime_Date list(Dur_Min) as Downtime_Min by host
|convert timeformat="%Y-%b-%d" ctime(Downtime_Date)
|rename host as Server_Name
|table Server_Name, Downtime_Date, Downtime_Min, Total_Downtime_Duration_Min
Appreciate your patience and response.
... View more
02-13-2019
07:26 AM
Hello Jip31,
Coalesce command is used to combine two or different fields from different or same sourcetype to perform further action.
Kindly try to modify the above SPL and try to run.
| eval 'Gen_OpCode'=coalesce('Boot_Degradation','Détérioration du démarrage','Información del arranque','Startbeeinträchtigung')
|table Gen_OpCode
... View more
01-23-2019
05:03 AM
Hello,
Kindly include all the field names which are required with the help of fields command. After that use the stats command.
Kindly note using stats command will mask the field which you are using for aggregation. If you want to retain your aggregated field, instead use eventstats command.
eg.
| fields x, y, z
| stats latest(_time) by A
... View more
04-01-2017
11:53 AM
Try the below code, hope it would work.
..|stats avg(eventDuration) as TotalDuration |timechart TotalDuration over avg(eventDuration) by project
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-21-2023
04:46 AM
|
