Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Deprasad
Deprasad
Path Finder
Member since:
01-02-2020
10-16-2024
Community Statistics
| Posts | 32 |
| Solutions | 2 |
| Karma Given | 6 |
| Karma Received | 3 |
| Member Since | 01-02-2020 |
Activity Feed
- Posted Extract fields with specific value where multiple combination of "value" exists for same "Key" on Splunk Search. 10-16-2024 10:47 AM
- Posted Extract events where same key-value pair exist more than 1 time on Splunk Search. 10-16-2024 10:39 AM
- Posted Re: Splunk query to skip alphanumeric string on Splunk Search. 03-13-2024 06:48 AM
- Posted Re: Splunk query to skip alphanumeric string on Splunk Search. 03-13-2024 04:49 AM
- Posted Splunk query to skip alphanumeric string on Splunk Search. 03-13-2024 02:30 AM
- Got Karma for Re: Drilldown - change in input not refreshing the content in child panel. 07-13-2023 10:27 AM
- Posted Re: Drilldown - change in input not refreshing the content in child panel on Dashboards & Visualizations. 07-13-2023 10:15 AM
- Karma Re: Drilldown - change in input not refreshing the content in child panel for richgalloway. 07-13-2023 10:15 AM
- Posted Re: Drilldown - change in input not refreshing the content in child panel on Dashboards & Visualizations. 07-13-2023 07:03 AM
- Posted Drilldown - change in input not refreshing the content in child panel on Dashboards & Visualizations. 07-12-2023 10:52 AM
- Posted Re: Joining two queries not giving the desired result on Splunk Search. 07-07-2023 03:34 AM
- Karma Re: Joining two queries not giving the desired result for ITWhisperer. 07-07-2023 03:34 AM
- Tagged Re: Joining two queries not giving the desired result on Splunk Search. 07-07-2023 03:34 AM
- Posted Re: Joining two queries not giving the desired result on Splunk Search. 07-06-2023 09:39 AM
- Posted Re: Joining two queries not giving the desired result on Splunk Search. 07-06-2023 09:33 AM
- Posted Re: Joining two queries not giving the desired result on Splunk Search. 07-06-2023 06:29 AM
- Posted Re: Joining two queries not giving the desired result on Splunk Search. 07-06-2023 05:53 AM
- Posted Joining two queries not giving the desired result on Splunk Search. 07-06-2023 04:06 AM
- Posted What cron expression should I use to set up alert? on Other Usage. 05-02-2023 02:03 AM
- Posted Using Drilldown feature: How to define different queries for different rows based on selection? on Dashboards & Visualizations. 10-07-2022 12:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
10-16-2024
10:47 AM
I've the below event, where I need to display only event which has action=test and category=testdata.
test
{
line1: 1
"action": "test",
"category": "testdata",
}
test1
{
line1: 1
"action": "event",
"category": "testdata",
}
test2
{
line1: 1
"action": "test",
"category": "duplicate_data",
}
... View more
Labels
- Labels:
-
field extraction
-
regex
-
table
10-16-2024
10:39 AM
I've an event looks like below. The Key value pair of "test:22345" exists more than 1 time and I need only this events in the output as table or count of events.
{"test":"22345","testType":"model"},{"test":"22345","testType":"model1"},{"test":"22345","testType":"model2"}
... View more
03-13-2024
06:48 AM
Yes, I've hyphens and a full stop on the hostname that needs to be considered. So far identified those 4 patterns and that should be it.
... View more
03-13-2024
04:49 AM
Thanks a lot! This regex works for the given example. I've another pattern like this "address":"http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg" for which I'm trying to implement the regex you've given by modifying slightly but couldn't achieve the same result. Can you please help here? Also can you please break down the regex for my better understanding.
... View more
03-13-2024
02:30 AM
I've below 3 different types of API logs where I've to treat all 3 as same and get the count of the API. There are multiple versions of same API along with or without user guid which is a unique value. "address":"http://test/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg "address":"http://test/services/user/v2/deleteUser/delete/342ad-123m4-r43rm-144dgdg "address":"http://test/services/user/v2/deleteUser Looing for a regex which reads the API until the alphanumeric string starts. In short , if I do stats count by API it should give the count as 3.
... View more
07-13-2023
10:15 AM
1 Karma
Thanks a lot! This works.
... View more
07-13-2023
07:03 AM
Can you please elaborate a bit more, if possible with XML.
... View more
07-12-2023
10:52 AM
I've a dashboard built with 3 panels with Panel 1 populate the date with loading at first time. Second panel will take input from 1st panel using drilldown and populate the data. Similarly, Third panel will take input from 2nd panel using drilldown and populate the data. Now if I click on different value from Panel 1, Panel 2 recognize that and it will refresh the result based on the input from Panel 1 but Panel 3 will remain display the result based on the previous input from Panel 2. Is there a way to overcome this issue like as soon as input for panel 2 changes, the panel 3 should disappear or it should change to " Search is waiting for input..."
... View more
07-07-2023
03:34 AM
Still the same format issue, where getting few rows of test request and then testresponse which has the logouttime as the last row. Interestingly I'm getting the desired result for below query with just adding the Join type as Left. It seems splunk takes Join type as Inner by default which gives results if there is a match between search and subsearch. index = test "testrequest" | rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)" | rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)" | rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+Status\=)(?<Status>\w+)" | rex "(?:.+TimeTaken\=)(?<TimeTaken1>\d+)" | eval TimeTaken=TimeTaken1/1000 | rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | rex "(?:.+FailureReason\=)(?<FailureReason>[\w\s]+)" | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID | join type=left SessionID [search index = test "testresponse" | rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table SessionID,LogoutTime ] | table Email,TransactionID,LoginTime,TimeTaken,SessionID,LogoutTime,Status,FailureReason Thanks for the wonderful conversation and help that led to this excellent learning.
... View more
- Tags:
- uest
07-06-2023
09:39 AM
The below query also works but its grouping the email,transactionid,logintime filed together in ascending order w.r.t the session ID causing mismatch between email,transactionid,logintime. index = test "testrequest" | rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)" | rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)" | rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+Status\=)(?<Status>\w+)" | rex "(?:.+TimeTaken\=)(?<TimeTaken1>\d+)" | rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID | append [search index = test "testresponse" | rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table SessionID,LogoutTime] | stats values(*) as * by SessionID | table Email,TransactionID,LoginTime,TimeTaken,SessionID,LogoutTime,Status
... View more
07-06-2023
09:33 AM
The Query works but some formatting is needed. For the test request I've multiple rows(Ex: multiple loginTime) and Test response will be only one(Ex: single logoutTime). So the output is coming like first few rows for request and the followed by response as last row. I need the output like something similar below: Email | transactionID | logintime | status | timetaken | sessionID | LogoutTime xxx xxxxxxxxxxx 02:10:00 xxxxx xxxxxxxx xxxxxxxxx 02:45:15 yyy yyyyyyyyyyy 02:15:15 yyyyy yyyyyyyy xxxxxxxxx 02:45:15 zzz zzzzzzzzzzz 02:25:15 zzzzz zzzzzzzz xxxxxxxxx 02:45:15 Test request event: Test request:email=xxxx:trasactionId=xxx-xxx-xxx-xxx-xxx:RequestType=dummy:TimeTaken=16209,TransactionTime=02:10:00:SessionId=xxxxxxx:Status=SUCCESS Test response event: Test response:email=yyyyyy:trasactionId=yyyyy-yyyyy-yyyy-yyyy-yyyyy:TimeTaken=381:TransactionTime=02:45:15: SessionId=xxxxxxx:Status=SUCCESS
... View more
07-06-2023
06:29 AM
The transaction ID is different for both the events, only common filed is "SessionID". there are few other fields which are common in name but has different values. The logic is, Single SessionID will have 'n' no of Email,TransactionID,LoginTime but only have one LogoutTime in a different event.
... View more
07-06-2023
05:53 AM
I'm still not getting the LogoutTime. Also please note that the field from first query such as Email, TransactionID, LoginTime will have multiple values. PFA.
... View more
07-06-2023
04:06 AM
I have 2 queries and joining it with "Join" using the common field "SessionID". With the below query I'm just getting the results if there are results from both the search. If there is no result for either the parent search or the sub search the result is not getting printed. For example if there is no LogoutTime available from the sub search, the results of parent search is not getting printed and. Is there any way to achieve the desired result. index = test "testrequest" | rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)" | rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)" | rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+Status\=)(?<Status>\w+)" | rex "(?:.+TimeTaken\=)(?<TimeTaken>\d+)" | rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID | join SessionID [search index = test "testrespone" | rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table SessionID,LogoutTime] | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID,LogoutTime
... View more
05-02-2023
02:03 AM
What is the equivalent Splunk Cron expression for the below Cron. 0 0 0 ? * 7#1 * An alert needs to be configured for every month 1st Saturday at 00:05 AM.
... View more
Labels
- Labels:
-
alert condition
-
cron
10-07-2022
12:26 AM
I have a query which displays top 10 consumed sourcetype. I would like to enable drilldown to achieve the below task.
When user clicks on a particular row, it should open a new tab and a new query should get executed for each row.
Right now, I have enabled Drilldown ->On Click-> Link to Search->Custom->Search String->Apply. In this way I can have the same query gets executed on selection of any rows. But I would like to define different queries for different rows based on the selection. Is this possible with Drilldown?
... View more
- Tags:
- drilldown
Labels
08-30-2022
07:19 AM
1 Karma
Thanks for this query @richgalloway ! It worked. Further I added the below piece of query to get the percentage. | eval Error_Percentage=round(100*count/Total_Transaction,2)."%" | table Error_Message,count, Error_Percentage
... View more
08-30-2022
05:30 AM
I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type. I'm trying to join the two queries so that I can get the percentage of each error type. Query 1: index=app "ResponseLoggingFilter" "Operation" | stats count as Total_Transaction Query 2: index=app "ResponseLoggingFilter" "Operation" NOT "OK" NOT "1041" | rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)" | stats count by Error_Message
... View more
Labels
- Labels:
-
monitoring console
06-09-2021
07:35 AM
1 Karma
I would like to have my dashboard delivered in CSV format rater than PDF. Is it possible in Splunk? I have a total of 90 panels so can't rely on Reports. Please clarify
... View more
Labels
- Labels:
-
drilldown
-
table
-
trellis layout
01-08-2021
03:20 AM
Thanks!! The payload you used in the regex101 is not same as the provided. Though it worked in Regex101, still faced the same issue with Splunk. Tried the solution suggested by @ITWhisperer and it worked.
... View more
01-08-2021
01:15 AM
Trying to Pick domainType and domainName from below log using the below regex: It works in regex101 but not in Splunk, it gives a blank column. domainName - rex"(?:domainName\\\"\:\\\")(?<domainName>([a-zA-Z0-9-\.]+))" domainType - rex"(?:domainType\\\"\:\\\")(?<domainType>\w)" "payload":"{\"domainType\":\"L\",\"modifiedBy\":\"\",\"relayHost\":\"\",\"rewriteDomain\":\"\",\"wildcardAccount\":\"\",\"domainName\":\"xxx.yyyyy.com\"}"},"encoding":null,"contentType":"application/json","responseCode":null}
... View more
Labels
- Labels:
-
table
02-17-2020
11:58 PM
strptime(Date, "%m/%d") gave a blank result for Date. Gone through Splunk documentation and found for epoch time conversion the command is strftime(x,y).
Thanks for the help..!!
... View more
02-17-2020
05:52 AM
Thanks..! This is working, however the date field is in epoch format.
... View more
02-17-2020
05:05 AM
I have a query which extracts counts for last 30 days. But the dates are not in proper order in result.
index = *** "search phrase" | stats count by date_mday | rename date_mday as Date
If i make a search today for last 30 days, the result should be in the below order .
01/18, 19, 20 .......... 02/16,02/17.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-16-2024
04:07 PM
|
