Hi,   I've a lookup that looks like this -  clientid url  abc accounts/*/balance abc accounts/*/name xyz /user/*/details   And I've log like -  app endpoint responsecode ms1 accounts/12345/balance 200 ms2 prod/accounts/98765/name 500 . . ms1 /user/randomuserid/details 403   I want to search with the uri field from lookup, which contains regex and additionally doesn't exactly match with the endpoint field of log (it's like this - *uri*==endpoint).    I am trying to get result like this -  app url clientid  ms1 accounts/*/balance abc  ms1 /user/*/details xyz ms2 accounts/*/name abc   Is it doable via inputlookup? I've around 2500 rows in my lookup file.   ... View more

I've created a lookup file with 2 columns like this, basically a lookup file containing list of search queries.   Name        |       Value Query1     | index=*xyz*  field1="fasdasdasdadasdasd" Query2     | index=*abc*  field2 = "qweqweqweqweqwe" Query3     | index=*pqr*  field3 = "zxzxczxczczx"   I want to get the count of each query using inputlookup and map command, in such a way that it gives 0 result to and not omit the any query if count is 0, like this -   Name        |       Count Query1     | 200 Query2     | 0 Query3     |4500   Could someone help please ? ... View more

Hi Team, I want to effectively monitor a system with 100+ URI. So far, approach was to monitor server error by tracking 500 status codes or 5XX status codes (https status codes along with URI gets printed in splunk logs nicely!) Now in recent past, saw problem related with - 1. issue came up with 401 or 403 status codes, it may seem too easy just to add 4xx status codes to be monitored but with so many URI it's tedious. 2. Some URI, traffic even didn't generated, so no question of it coming up in 5XX monitoring as traffic itself was 0. I know a possible solution is to use a lookup file and fillnull URI but in my approach of 5XX monitoring , I didn't use lookup file. I'm doing a blanket search in all logs and then doing stats by URI and throwing alert if 5XX count percentage is more than 20%. The reason for not using URI lookup file is these URIs keep changing every week and I wanted a robust solution which would work without manual update. So please suggest a way to effectively monitor this situation. I wanted to know if there are any specific command(like anomaly or something similar) that I can look deep into, which might help. ... View more

Hi, I require a table containing count of specific service compared between 2 time ranges. table 1 (time - now) servicename | count aaa 2 bbb 3 ccc 4 table 2 (time - previous time with timerange) servicename | count bbb 2 ddd 2 ccc 4 After search expectation - servicename | countnow| oldcount | delta aaa 2 0 2 bbb 3 2 1 ccc 4 4 0 (added just for understanding, not expected in the actual output, as I've added delta!=0 in my query at the end) ddd 0 2 -2 Current output with my query (Outer Join works fine but I can't see the difference value, which is the actual requirement) - aaa 2 (null value is coming, and delta value is coming as null as well) bbb 3 2 1 ccc 4 4 0 (Coming up in search, even though it should not!) ddd 2 0 My query is like this - index=* myquery earliest=-15m latest=now |stats count as CurrentCount by servicename|join type=outer servicename [search index=* myquery earliest=1578492000 latest=1578492900|stats count as OldCount by servicename] |eval DiffValue= CurrentCount - OldCount |table servicename,OldCount,CurrentCount,DiffValue|search Diffvalue!=0 Don't want to change whole lot in the query as the table output is 1000 rows and outer join works fine. Could you please help around difference calculation part and fillnull part? ... View more

Hi team, I've 1 field named - 'URI' coming in micro service log dump. Example Values of URI field is like below - /mobile/login /desktop/login /account/100123445/details /account/100123999/details /public/account/XYZAASWDDSSSS/transactions /public/account/XYZQWERTS/transactions Now I'm just trying to see successful or failure transactions list sorted by the URI. My example query - index=mslogs "successful"|stats count by URI Now the problem is, the result is coming as - URI Count /mobile/login 50 /desktop/login 50 /account/100123445/details 1 /account/100123999/details 1 /public/account/XYZAASWDDSSSS/transactions 1 /public/account/XYZQWERTS/transactions 1 Obviously, I need this to show like - /mobile/login 50 /desktop/login 50 /account//details 2 /public/account//transactions 2 Basically I want to remove the random string part in the 'URI' field. Different URI has different random parts and those random parts are present differently in the URI. I'm willing to write regex to handle all the scenario in URI, but I want to replace them with '*' so that if I do a 'stats' or timechart, single URI. Please suggest. ... View more

Hi, I've a dashboard to measure service performance of pasr week ( Monday-Sunday) and I run it on every Monday. Dashboard has a timepicker to select the dates from Past week's Monday to Sunday. Please find one example query and the output. There's a new requirement to add same metrices(avergae response, p99 response and volume) of past to past week. Goal is to have a comperative data of these 3 metrices between past 2 weeks. Just to mention, I've 50 such service, presentin the dashboard. So it's already taking lots of time. So is it doable without making the query too complex ? index=indexname servicename1 "completed in" | rex field=MSG ".*completed in\s(?[^\s]+)"| dedup sessionid| timechart perc90(ResponseTime),eval(round(avg(ResponseTime),0)) as avg(ResponseTime),count(ResponseTime) as "Total Volume" ... View more

I've two patterns, say like this - "successPattern" and "failurePattern". I want to make a timechart comparing success vs failure and failure percentage, server wise. I've attached the expected output. Here host1, host2 are the servers, available with field name "host" Could someone please help ? ... View more