About pjtbasu

pjtbasu · ‎08-11-2021

No they don't. Those are absolutely randomized 2000+ end points. I've previously tried to create regex value but then I've to tackle case by case, which won't be possible for 2000+ possible endpoints. So I had to abandon that. That is the reason I created a lookup from a different source. Now in all cases *uri* == endpoint, but still not sure how to achieve that. I was trying match_type in lookup definition. But could not make it to work

pjtbasu · ‎08-10-2021

Works fine. Thanks for the help

kamlesh_vaghela · ‎06-29-2021

@pjtbasu if you pass value from main search to map command it will enclosed it with double quote( as it is consider as value) and pass it. So if your search is like index=_internal eventtype=splunkd-access map will consider like search "index=_internal eventtype=splunkd-access" In this situation you will get 0 count always. So I'm suggesting one trick to achieve this. Create Execute_Search in savedsearches.conf. [Execute_Search] search = $q$ | stats count as Count | eval Name="$name$" | table Name Count and use this savedsearch with map command. |inputlookup YOUR_LOOKUP | table Name,Value | map search="| savedsearch Execute_Search q=$Value$ name=$Name$" My Sample Search : | makeresults | eval _raw="Name,Value Query1,index=_internal eventtype=splunkd-access Query2,index=_internal eventtype=splunkd-log Query3,index=_internal sourcetype=splunkd " | multikv forceheader=1 | table Name,Value | map search="| savedsearch Execute_Search q=$Value$ name=$Name$" Thanks KV ▄︻̷̿┻̿═━一 If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎06-23-2021

@pjtbasu Can you please try this? YOUR_SEARCH | stats sum(eval(if(like(httpresponse,"2%"),1,0))) as TRANSACTIONS_SUCCESS, sum(eval(if(!like(httpresponse,"2%"),1,0))) as TRANSACTIONS_FAILURE by service Thanks KV ▄︻̷̿┻̿═━一 If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

thambisetty · ‎09-13-2020

https://www.youtube.com/watch?v=LoiyiCVGLnw

pjtbasu · ‎06-30-2020

Hi Team, I want to effectively monitor a system with 100+ URI. So far, approach was to monitor server error by tracking 500 status codes or 5XX status codes (https status codes along with URI gets printed in splunk logs nicely!) Now in recent past, saw problem related with - 1. issue came up with 401 or 403 status codes, it may seem too easy just to add 4xx status codes to be monitored but with so many URI it's tedious. 2. Some URI, traffic even didn't generated, so no question of it coming up in 5XX monitoring as traffic itself was 0. I know a possible solution is to use a lookup file and fillnull URI but in my approach of 5XX monitoring , I didn't use lookup file. I'm doing a blanket search in all logs and then doing stats by URI and throwing alert if 5XX count percentage is more than 20%. The reason for not using URI lookup file is these URIs keep changing every week and I wanted a robust solution which would work without manual update. So please suggest a way to effectively monitor this situation. I wanted to know if there are any specific command(like anomaly or something similar) that I can look deep into, which might help.

to4kawa · ‎01-19-2020

full outer join , I haven't know till now. I see. Thanks @niketnilay

jacobpevans · ‎08-01-2019

Greetings @pjtbasu, As you said, you'll want to regex them out. The beginning of the regex replace command for all of them would be | eval URI = replace(URI, . followed by: /account/#####/details = "(/account)/[^/]+(/details)", "\1\2") /public/account/#####/transactions = "(/public/account)/[^/]+(/transactions)", "\1\2") Here's a run-anywhere search for your sample data: | makeresults | eval URI="/account/100123445/details" | append [ | makeresults | eval URI="/public/account/XYZAASWDDSSSS/transactions" ] | eval URI = replace(URI, "(/account)/[^/]+(/details)", "\1\2") | eval URI = replace(URI, "(/public/account)/[^/]+(/transactions)", "\1\2")

valiquet · ‎11-02-2017

timewrap function is quite useful. Like DalJeanis said, it could be resource consuming. index=indexname servicename1 "completed in" | rex field=MSG ".*completed in\s(?[^\s]+)" | dedup sessionid | timechart span=5m perc90(ResponseTime),eval(round(avg(ResponseTime),0)) as avg(ResponseTime),count(ResponseTime) as "Total Volume" limit=0 | timewrap 1d series=exact

cmerriman · ‎09-22-2017

i would probably create a field called successPattern and one called failurePatten based on what you've outlined. I'm not sure if "funcationName status is:0" is from raw events, but let's say you can use that. base search|eval successPattern=if(like(_raw,"%functionName status is:0%"),1,null())|eval failurePattern=if(like(_raw,"%functionname completed with error%"),1,null())|timechart span=1m count(successPattern) as success count(failurePattern) as failures by host|foreach failures* [eval failure_perc<<MATCHSTR>>='<<FIELD>>'/('<<FIELD>>'+'success<<MATCHSTR>>')*100]|fields _time *host1 *host2

Posts	15
Solutions	0
Karma Given	6
Karma Received	0
Member Since	‎09-22-2017

Online Status	Offline
Date Last Visited	‎08-20-2021 10:59 AM

Querying partial match from lookup

Splunk regex help

Count of all query present in lookup file

Regex inside eval is not working

Extracting domain name from URL

Monitoring 100 plus URI by https status codes

Fillnull in outer join

Replace random string in a field

compare past 2 week's data in a single graph with ...

Timechart with success and failure and failure/suc...

Re: Querying partial match from lookup

Re: Splunk regex help

Re: Count of all query present in lookup file

Re: Regex inside eval is not working

Re: Extracting domain name from URL

Monitoring 100 plus URI by https status codes

Re: Fillnull in outer join

Re: Replace random string in a field

Re: compare past 2 week's data in a single graph w...

Re: Timechart with success and failure and failure...