Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ib_321
ib_321
New Member
Member since:
01-26-2018
06-05-2020
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-26-2018 |
Activity Feed
- Posted Re: Optimize query with multiple subsearches on Splunk Search. 02-21-2018 12:26 PM
- Posted Optimize query with multiple subsearches on Splunk Search. 02-07-2018 05:13 PM
- Tagged Optimize query with multiple subsearches on Splunk Search. 02-07-2018 05:13 PM
- Tagged Optimize query with multiple subsearches on Splunk Search. 02-07-2018 05:13 PM
- Posted Re: How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)") on Splunk Search. 01-26-2018 03:22 PM
- Posted Re: How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)") on Splunk Search. 01-26-2018 12:16 PM
- Posted How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)") on Splunk Search. 01-26-2018 10:47 AM
- Tagged How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)") on Splunk Search. 01-26-2018 10:47 AM
- Tagged How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)") on Splunk Search. 01-26-2018 10:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
02-21-2018
12:26 PM
Thank you for the prompt and thorough response. This was extremely helpful.
... View more
02-07-2018
05:13 PM
Hello,
I have a query with multiple subsearches that is slower than I would like, so I am looking for ways to optimize it.
The search finds the first event whose path is transaction that occurs after an event whose path is finalize for a given customerId and sessionId . The sessionId is passed in through a dashboard. The first subsearch pulls the customerId out of a cookie using rex . The second gets the timestamp of the finalize event for the relevant session.
index=my_index event=response path=*/transactions* [search index=my_index event=response path=*/pair* $sessionId$ | spath output=cookie path=headers.cookie | rex field=cookie "(?<=\bCID=)(?<customerId>.{36})" | return 1 $customerId] | spath ts output=transactionTs | eval finalizeTs=[search index=my_index event=response path=*/finalize* $sessionId$ | spath ts output=t | return 1 $t] | where transactionTs>finalizeTs | tail 1
For all the Splunk pros out there, is there a way to rewrite this query to remove the subsearches, or otherwise improve the performance?
... View more
01-26-2018
03:22 PM
That seems to have solved my problem. Thank you!
Can you explain why this query worked while mine didn't?
... View more
01-26-2018
12:16 PM
Thank you for your response. This didn't resolve the issue.
I don't think fillnull , replaces "(null)". For example,
... | fillnull | search customerId="(null)"
returns a bunch of events.
... View more
01-26-2018
10:47 AM
My goal is to create a transaction that ends with customerId being "(null)" and starts with customerId being something other than "(null)" . Here is my query:
... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") maxspan=10m | stats count by deviceId
When I inspect the resulting list of deviceIds, none of them meet the criteria that I wanted for my transaction--none of them go from customerId!="(null)" to customerId="(null)" . I have tried reversing the log ... | reverse | transaction ... , but I get the same result.
The only explanation I have come up with is that this has something to do with comparison to "(null)"--that in the end customerId will always be "(null)" after the last event--but this query compares customerId to the string "(null)" so that doesn't make sense.
Any help would be greatly appreciated. Thanks in advance.
... View more
- Tags:
- null
- transactions
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
