Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ismarslomic
ismarslomic
Path Finder
Member since:
04-01-2015
06-05-2020
Community Statistics
| Posts | 17 |
| Solutions | 0 |
| Karma Given | 14 |
| Karma Received | 4 |
| Member Since | 04-01-2015 |
Activity Feed
- Karma Re: Creating predefined timerange for service period for niketn. 06-05-2020 12:48 AM
- Karma Re: Joining fields from three different indexes and sourcetypes for Richfez. 06-05-2020 12:48 AM
- Karma Re: Joining fields from three different indexes and sourcetypes for Richfez. 06-05-2020 12:48 AM
- Got Karma for Joining fields from three different indexes and sourcetypes. 06-05-2020 12:48 AM
- Got Karma for Joining fields from three different indexes and sourcetypes. 06-05-2020 12:48 AM
- Got Karma for Joining fields from three different indexes and sourcetypes. 06-05-2020 12:48 AM
- Got Karma for Re: Joining fields from three different indexes and sourcetypes. 06-05-2020 12:48 AM
- Karma Re: How to display earliest and latest dates of searches in a dashboard and PDF report? for gabriel_vasseur. 06-05-2020 12:47 AM
- Karma How to custom format a time token to be rendered in a label? for nl65. 06-05-2020 12:47 AM
- Karma Re: How to add a horizontal threshold line overlay in column chart? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Simple XML Dashboard Examples: How to add a new icon to inline rangemap for MuS. 06-05-2020 12:47 AM
- Karma Re: How to Update Splunk after JavaScript Changes without Restarting Splunk for alacercogitatus. 06-05-2020 12:47 AM
- Karma Re: Can you reference a token value inside a token eval tag? for aljohnson_splun. 06-05-2020 12:47 AM
- Karma Re: Changed XML not updating without restart for sideview. 06-05-2020 12:46 AM
- Karma Can I tag time as scheduled maintenance to exclude events from searches? for jkeglovitz. 06-05-2020 12:46 AM
- Karma Re: How to compare fields over multiple sourcetypes without 'join', 'append' or use of subsearches? for MuS. 06-05-2020 12:46 AM
- Karma Re: How to compare fields over multiple sourcetypes without 'join', 'append' or use of subsearches? for wrangler2x. 06-05-2020 12:46 AM
- Karma Re: Joining multiple events via a common field. for Ayn. 06-05-2020 12:46 AM
- Posted Re: Joining fields from three different indexes and sourcetypes on Splunk Search. 04-16-2017 08:22 AM
- Posted Re: How to compare fields over multiple sourcetypes without 'join', 'append' or use of subsearches? on Splunk Search. 04-15-2017 12:54 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 | |||
| 0 |
04-16-2017
08:22 AM
@rich7177 or @DalJeanis: would you be able to support me finalising the last search? I hope that updates I have done in my question is giving you more insight into the complexity and events?
... View more
04-15-2017
12:54 AM
@Mus thanks for very useful answer! To avoid messing up this thread I have created new Question which is highly related to this one and is about extending to three searches: https://answers.splunk.com/answers/521078/joining-fields-from-three-different-indexes-and-so.html
I would appreciate your help!
... View more
04-14-2017
12:50 PM
Example events added for Search 1 and 2. Search 3 events are very simple, like
all 8.36 0.00 5.40 0.00 86.24
Hope this helps. Im still working with including the third search into query mentioned in "What I have tried so far", with addition of corr_id for grouping. Still no luck.
... View more
04-14-2017
09:23 AM
Thanks, @DalJeanis. I have tried to execute line 1 - 3 + 8 like this:
(index="website_monitoring" sourcetype="url_check") title="wiki-via-bfrm-lbs" | table _time total_time time_namelookup corr_id | sort -_time
| appendpipe [ | map maxsearches=0 search="index=confluence_prod sourcetype=confluence:app:access corr_id=1492068301527265031 | table corr_id requesttime_in_ms"]
| stats values(*) as * by _time corr_id
But column requesttime_in_ms is missing in output. To avoid too much complexity, I have removed completely usage of custom macros in query above.
... View more
04-14-2017
08:36 AM
1 Karma
Hehe, I was wondering about the same. But it is already explained by original author of the search query in Answer: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html (see question from @wrangler2x)
... View more
04-14-2017
08:33 AM
Thanks, @rich7177! Group by corr_id helped! Now I get the results Im expecting for Search 1 and 2. Need to extend it for Search 3. Will post updated solution when done so others can reuse it as well.
... View more
04-14-2017
03:49 AM
3 Karma
I have three searches that I want to merge into one single table as search output. I will try to explain my case through three individual searches:
Search 1 (base search)
(index="website_monitoring" sourcetype="url_check") title="wiki-via-bfrm-lbs" `filter_service_period_hours` total_time > `response_time_threshold` | table _time total_time time_namelookup corr_id | sort -_time
Output fields:
- _time
- total_time
- time_namelookup
- corr_id
Example event:
2017-04-13T10:06:03+0000 title="wiki-via-bfrm-lbs" corr_id=1492077961074495474 response_code=200 expected_content=True total_time=2604.000 time_redirect=0 time_appconnect=0 time_connect=2515.000 time_namelookup=2513.000 time_pretransfer=2515.000 time_starttransfer=2573.000 request_time=2604.000 timed_out=False content_size=55914 url_effective=http://mydomain.com/wiki/pages/viewpage.action?pageId=65538&corr_id=1492077961074495474&script=wiki-via-bfrm-lbs url=http://mydomain.com/wiki/pages/viewpage.action?pageId=65538 content="Let's edit this page (step 3 of 9) - Demonstration Space "
Search 2 (additional fields based on base search)
index=confluence_prod sourcetype="confluence:app:access" corr_id=1492068301527265031 | table requesttime_in_ms
Correlation fields
- field corr_id is present in Search 1 and Search 2. Value 1492068301527265031 is ment to be retrieved from Search 1
Output fields
- requesttime_in_ms
Example events
[2017-04-13T10:06:03+0000] ip=172.0.0.1 user=TestUser http_method=GET url=“/wiki/pages/viewpage.action?pageId=65538&corr_id=1492077961074495474&script=wiki-via-bfrm-lbs" protocol_version=HTTP/1.1 http_status_code=200 responsesize_bytes=55977 requesttime_in_ms=2176 referer="-" user_agent="curl/7.29.0"
Search 3 (additional fields based on base search)
index="os" sourcetype="cpu" host="aca-db*" cpu="all" earliest="04/13/2017:10:06:00" latest="04/13/2017:10:06:59" | eval total_usage=(100-pctIdle) | stats avg(total_usage) as cpu_usage
Correlation fields
- fields earliest and latest in Search 2 shall be equal to earliest and latest in Search 1.
Output fields
- cpu_usage
Desired search output (merged)
_time (from Search 1)
total_time (from Search 1)
time_namelookup (from Search 1)
requesttime_in_ms (from Search 2)
cpu_usage (from Search 3)
What I have tried so far
I have been reading different answers and Splunk doc about append , join , multisearch . I wanted to give a try solution described in the answer: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html, but so far I have not succeeded for all three searches.
Search (merging output from Search 1, Search 2 and Search 3)
(index="website_monitoring" sourcetype="url_check" title="wiki-via-bfrm-lbs" total_time > `response_time_threshold`)
OR (index="confluence_prod" sourcetype="confluence:app:access") `filter_service_period_hours`
OR (index="os" sourcetype="cpu" host="aca-db*" cpu="all" earliest="04/13/2017:12:05:05" latest="04/13/2017:12:07:05")
| eval corr_id-{index}=corr_id
| eval Time=strftime(_time, "%F %T")
| eval total_usage=(100-pctIdle)
| stats values(corr_id-*) AS * values(total_time) as "Response time Monitoring" values(requesttime_in_ms) as "Response time App" values(time_namelookup) as "DNS lookup" avg(total_usage) as cpu_usage by corr_id Time
| mvexpand website_monitoring
| mvexpand confluence_prod
| where website_monitoring=confluence_prod
| fields - website_monitoring,confluence_prod
Output
Output shows correct values for fields
- _time (from Search 1)
- total_time (from Search 1)
- time_namelookup (from Search 1)
- requesttime_in_ms (from Search 2)
but for cpu_usage (from Search 3) I dont get any value in output.
I would really appreciate tips/hints on how to fulfil desired search output.
... View more
01-08-2017
04:36 AM
Important information about date_* (default datetime fields) is that only events which contains timestamp, generated from their systems, will get these default fields. See more at https://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Usedefaultfields
... View more
01-08-2017
01:14 AM
Thanks, @niketnilay!
But I will reuse exactly this time range filter in different search combinations. Would it be possible to extend the "Presets" list of Time range dropdown list so I can just apply this filter on different search combinations?
... View more
01-07-2017
12:56 AM
Is it possible to define named (relative) time ranges (with use of macros or other teqniques) for service hours (07:00-18:00 monday-friday) and calculation period (first day in a month to last in a month) so I can easily change between current and previous calculation periods in dashboards/panels/stat charts?
Scenario 1
Default should be to select current calculation period, which is from first day in this month (01.01.2016) to current date 07.01.2016, and only filter service hours.
Scenario 2
Then I can just pick previous month and year, let say December 2016 and filters on service hours for that month and year.
Disclamer!
Im quite new to Splunk, so please excuse any missusing of commom terms and techniques, and feel free to correct me!
... View more
04-01-2015
02:26 PM
I cant accept that comment as answer.. It seems like i need to move it to Reply, but I dont have access to do it
... View more
04-01-2015
02:17 PM
Sorry, but it still doesnt work. However, reply from @aljohnson_splunk solved the problem. Thanks to both of you!
... View more
04-01-2015
02:16 PM
Thanks, this works and solves my need!
... View more
04-01-2015
02:11 PM
No, still same error message.
... View more
04-01-2015
02:09 PM
No. Please see screenshot http://tinypic.com/r/35i2afs/8
... View more
04-01-2015
02:01 PM
When I copy/paste ^(?[^;]+);(?[^;]+);(?w+;\w+;\d);(?.+) in the input field "Regular expression pattern" I get error message
Invalid regex: syntax error
and
Regex does not extract any named fields.
... View more
04-01-2015
01:37 PM
I have the following log statement, which uses semicolon delimiter and where i want to extract columns as specific fields with use of Regex in IFX.
[1427894078] SERVICE ALERT: example.com ;Current Load;CRITICAL;SOFT;3;CRITICAL - load average: 1.96, 1.29, 0.59
However, I'm not so good at Regex so would need help to create 4 separate regular expressions (will be saved as 4 different fields) which returns following results:
[1427894078] SERVICE ALERT: example.com
Current Load
CRITICAL;SOFT;3
CRITICAL - load average: 1.96, 1.29, 0.59
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
