I've three search in OR for ex  "order success" "order failed" "offer success"  based on the above 3 statement I can perform search but I want to show the result in as pie chart at per hour basis ... View more

This answer does not seem to work on a Splunk 9.x Classic Dashboard. Receiving the error below when attempting to save the answer code in an example dashboard: Error parsing XML on line 37: Extra content at the end of the document ... View more

I tried the same that you have. It seems working as expected. | makeresults | eval _raw="{ \"SCMSplunkLog\" : { \"SCMFailureLog\" : { \"appName\" : \"Testing_splunk_alerts_log\", \"eventType\" : \"Testing_splunk_alerts_log\", \"payload\" : { \"level\" : \"ERROR\", \"startTime\" : \"2022-04-12T13:57:49.156Z\", \"successCount\" : 0, \"failureCount\" : 0, \"publishedCount\" : 0, \"errorCode\" : 0, \"errorDescription\" : \"ERROR: relation \"test.testLand\" does not exist\n Position: 8\", \"sourceCount\" : 0, \"endTime\" : \"2022-04-12T13:57:54.483Z\" } } } }"   ... View more

Hi, did you ever figure this one out? I have the same issue. ... View more

@karthi25 at present I am afraid the answer is no. Since enabling iframe in dashboard exposes insecure content in your dashboard you will have to have corresponding configuration in place which are turned off by default for the obvious reasons! ... View more

REGEX: (?ims)(?<exception>(exception).*\2) But your original REGEX "\(Exception occurred while processing rules for Feed name (?<myField>[^\)]:*)\)\(" what's \( ? your provided log is not with (Exception occurred ... ... View more

Try this: index=d** source=S*** source=u** "Files Succesfully Moved To S3 Bucket" | rename log AS _raw | kv | table APP_NAME,level,message ... View more

I have added opacity and z-index it was working fine. Thanks ... View more

@DMohn Thanks for your reply. Sorry I tried it before, it is not returning anything. My log contains datetime like "2019-03-06 07:31:48 - " before the json. So first we need to extract the json from the mixed log then we need to proceed with spath .Please correct me if am wrong. ... View more

@vnravikumar Thanks..this worked for me. ... View more

@karthi25 Great. Please upvote and accept this answer to close this question. Happy Splunking ... View more

<viz type="horseshoe_meter_app.horseshoe_meter"> <search> <query>index=*** source=*** |spath path=load.appName output=appName|spath path=testLog.payload.sourceCount output=sourceCount|spath path=testLog.payload.publishedCount output=publishedCount |stats sum(sourceCount) as totalSource sum(publishedCount) as totalPublished </query> <earliest></earliest> <latest></latest> <progress> <set token="totalSource">$result.totalSource$</set> </progress> </search> <option name="horseshoe_meter_app.horseshoe_meter.maxValue">$totalSource$</option> <option name="horseshoe_meter_app.horseshoe_meter.minValue">0</option> <option name="horseshoe_meter_app.horseshoe_meter.useRangemap">true</option> <option name="horseshoe_meter_app.horseshoe_meter.valueColor">#555</option> <option name="horseshoe_meter_app.horseshoe_meter.dialColor">#d0d5d9</option> <option name="horseshoe_meter_app.horseshoe_meter.backgroundColor">#FFF</option> <option name="horseshoe_meter_app.horseshoe_meter.thresholdStyle">percentage</option> <option name="horseshoe_meter_app.horseshoe_meter.minRangeColor">#3fc77a</option> <option name="horseshoe_meter_app.horseshoe_meter.midRangeThreshold">55</option> <option name="horseshoe_meter_app.horseshoe_meter.midRangeColor">#fbcd2f</option> <option name="horseshoe_meter_app.horseshoe_meter.maxRangeThreshold">80</option> <option name="horseshoe_meter_app.horseshoe_meter.maxRangeColor">#b44441</option> </viz> ... View more

Can you work with this? index=*** source=*** |spath path=TestSplunkLog.TestSuccessLog.payload ... ... View more

Is there any unique ID to correlate the events, other than just the order of events? This seems like logs for a JOB, so can there be multiple jobs running simultaneously? If there are no unique correlation key and multiple job's logs are overlapping, it would be difficult to achieve what you want. ... View more

Just a hint: Use regex101.com. You can put it in your regex and example data, and any regex that works there (and extracts named capture groups) most likely also works in Splunk. Entering your regex there would've shown you that you're missing the named capture groups, for example. 🙂 ... View more

How about this: base search | rex field=_raw "(?<date>[^ ]+$)" Here's a demo: https://regex101.com/r/Y06SsX/1 This regex is collecting everything between the last space and the end of the line and assigning it to a field called date . ... View more

Then try this: | rex "OPPORTUNITY_JOB:\s+List\s+size:\s+(?<listsize>\d+)[\D|$]" ... View more

Hello! Try this rex field=_raw "sourceTransactionTime\:(?<sourceTransactionTime>[^\\n]+)" ... View more

Hello, I am facing the same problem. I tried all the solutions provided here but i am not able to extract itas needed. Just wanted to know, do these solutions worked for you? ... View more

@karthi25, if you are extracting eventId to filter "event123" from your _raw events then rex field extraction is not required. You can filter directly in your base search using "\"eventid\":\"event123\"" Following is a run anywhere search based on the sample data provided which extracts the payload data | makeresults | eval _raw="2018-03-02T17:02:27.453185+00:00 ESP-Finance-NPE.development.abctestprocessor-dev a36c4e54-dc5a-4d23-afb3-10f1661b19b4[[APP/PROC/WEB/0]]: cf_foundation=*** cf_app_name=*** cf_app_id=a36c4e54-dc5a-4d23-afb3-10f1661b19b4 cf_org_name=**** cf_org_id=*** cf_space_name=development cf_space_id=*** .source.s_cf_apps 2018-03-02 09:02:27.452 ERROR 14 --- [TaskExecutor-82] c.tmobile.finance.service.LoggerService : {\"host_endpoint\":\"\",\"domain\":\"CUSTOMER_FINANCE\",\"component\":\"abctestProcessor\",\"log_type\":\"ERROR\",\"space_name\":\"development\",\"event_source\":\"DEEP_PROXY\",\"api_name\":\"test_abc\",\"api_id\":\"a36c4e54-dc5a-4d23-afb3-10f1661b19b4\",\"message_format\":\"application/json\",\"error_code\":0,\"stack_trace\":\"com.tmobile.deep.abc.exception.FinanceSystemE\"operation_name\":\"testEquipmentSerialNumberUpdateCompleted\",\"testId\":\"testString\",\"msisdn\":\"testString\",\"guid\":\"testString\",\"activityid\":\"testString\",\"api_request\":{\"eventId\":\"event123\",\"sourceId\":null,\"eventType\":\"testEquipmentSerialNumberUpdateCompleted\",\"eventTime\":{\"offset\":{\"totalSeconds\":0,\"id\":\"Z\",\"rules\":{\"fixedOffset\":true,\"transitions\":[],\"transitionRules\":[]}},\"hour\":0,\"minute\":30,\"second\":21,\"nano\":298000000,\"year\":2018,\"month\":\"FEBRUARY\",\"dayOfMonth\":10,\"dayOfWeek\":\"SATURDAY\",\"dayOfYear\":41,\"monthValue\":2},\"eventProducerId\":\"Produce123\",\"eventVersion\":\"testString\",\"specifications\":[{\"name\":\"testString\",\"value\":\"testString\"}],\"auditInfo\":{\"customerId\":\"testString\",\"accountNumber\":\"testString\",\"universalLineId\":\"testString\",\"lineId\":\"testString\",\"phoneNumber\":\"testString\",\"iamUniqueId\":\"testString\",\"batchId\":\"testString\",\"orderId\":\"testString\"},\"headerReference\":{\"activityId\":\"testString\",\"applicationId\":\"testString\",\"applicationUserId\":\"testString\",\"authCustomerId\":\"testString\",\"authFinancialAccountId\":\"testString\",\"authLineOfServiceId\":\"testString\",\"channelId\":\"testString\",\"dealerCode\":\"testString\",\"interactionId\":\"testString\",\"masterDealerCode\":\"testString\",\"segmentationId\":\"testString\",\"senderId\":\"testString\",\"sessionId\":\"testString\",\"storeId\":\"testString\",\"terminalId\":\"testString\",\"tillId\":\"testString\",\"workflowId\":\"testString\",\"timestamp\":{\"offset\":{\"totalSeconds\":0,\"id\":\"Z\",\"rules\":{\"fixedOffset\":true,\"transitions\":[],\"transitionRules\":[]}},\"hour\":0,\"minute\":30,\"second\":21,\"nano\":298000000,\"year\":2018,\"month\":\"FEBRUARY\",\"dayOfMonth\":10,\"dayOfWeek\":\"SATURDAY\",\"dayOfYear\":41,\"monthValue\":2}},\"payload\":{\"createtestRequest\":{\"header\":{\"senderid\":\"testString\",\"channelid\":\"testString\"},\"tests\":{\"account\":{\"universalLineId\":\"testString\"},\"sourceTransactionTime\":\"2018-02-10T00:30:21.298Z\",\"phoneNumber\":\"testString\",\"purchasedEquipment\":{\"description\":\"testString\",\"imei\":\"testString\"},\"testId\":\"testString\"}}},\"processContext\":{\"rootId\":\"67310650-1e3b-11e8-945d-a5cf584f50bc\",\"parentId\":\"67310650-1e3b-11e8-945d-a5cf584f50bc\",\"spaceName\":\"development\"},\"currentRetryCount\":0,\"maxRetryAttempts\":0,\"retryDelay\":0,\"taskId\":null,\"errorData\":null,\"status\":null,\"subStatus\":null},\"api_response\":\"org.hibernate.exception.GenericJDBCException: Error calling CallableStatement.getMoreResults\",\"httpStatusCode\":\"503\",\"key\":\"testString\",\"additionalAttributes\":{}}" | search "\"eventid\":\"event123\"" | rex "{\"eventId\":\"(?<eventId>[^\"]+)" | rex ",\"payload\":(?<payload>.*),\"api_response\"" | table eventId payload PS: I have retained eventId field in case you need it to be displayed in result. ... View more

@mayurr98 thanks. It's works as expected ... View more

it looks like startDateModified is based on startDate, so the values would be the same, but formatted differently? Is there a reason you're using both in the where statement? Are the values different than _time? ... View more

ohhk... I misunderstood your question.. ... View more