Activity Feed
- Posted Re: How to extract just the date from a timestamp converted from epoch time? on Splunk Search. 04-04-2018 03:52 AM
- Posted Re: Modify the result of a query using csv lookup on Splunk Search. 04-01-2018 09:46 PM
- Posted Re: "What to Search" isn't working on Splunk Search. 04-01-2018 01:05 AM
- Posted Re: Alert Configuration based on search results on Alerting. 03-25-2018 10:00 PM
- Posted Re: Alert Configuration based on search results on Alerting. 03-25-2018 09:25 PM
- Posted Re: Alert Configuration based on search results on Alerting. 03-25-2018 05:19 AM
- Posted Alert Configuration based on search results on Alerting. 03-25-2018 03:21 AM
- Tagged Alert Configuration based on search results on Alerting. 03-25-2018 03:21 AM
- Tagged Alert Configuration based on search results on Alerting. 03-25-2018 03:21 AM
- Tagged Alert Configuration based on search results on Alerting. 03-25-2018 03:21 AM
- Posted Modify the result of a query using csv lookup on Splunk Search. 03-14-2018 10:27 PM
- Tagged Modify the result of a query using csv lookup on Splunk Search. 03-14-2018 10:27 PM
- Tagged Modify the result of a query using csv lookup on Splunk Search. 03-14-2018 10:27 PM
- Tagged Modify the result of a query using csv lookup on Splunk Search. 03-14-2018 10:27 PM
- Tagged Modify the result of a query using csv lookup on Splunk Search. 03-14-2018 10:27 PM
- Tagged Modify the result of a query using csv lookup on Splunk Search. 03-14-2018 10:27 PM
- Posted Re: Customize pdf output file on Reporting. 03-14-2018 05:47 AM
- Posted Re: How to replace field values received from one search result in one index with second search result in other index by comparing the values? on Splunk Enterprise. 03-13-2018 10:54 PM
- Posted Re: How to configure Props.conf to break the events only before a specific line? on Splunk Enterprise. 03-13-2018 10:52 PM
- Posted Re: How to configure Props.conf to break the events only before a specific line? on Splunk Enterprise. 03-13-2018 10:51 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-04-2018
03:52 AM
Hi @ppablo_splunk,
Can we use the above in alerts as well? For example:- $job.earliestTime$ gives me "2018-04-04T00:00:00.000+04:00" wheras I want only "2018-04-04".
... View more
04-01-2018
09:46 PM
Thank you @p_gaurav!!
I tried this by modifying the above query and it worked for me. This was very helpful. 🙂
... View more
04-01-2018
01:05 AM
Hi @oda,
I have the same problem. I have created 2 indexes and I am not able to see the Summary in "What to Search".
What did you do to make it work? Please guide.
... View more
03-25-2018
10:00 PM
ConsumerName TotalHits ErrorCount
ABC 1179 269
If my query result is as above, how can I fetch the value of TotalHits? Please help anyone.
... View more
03-25-2018
09:25 PM
Hi @rakshithreddy,
How to fetch the value of TotalHits in the mail? Is this correct - $requests.TotalHits$
... View more
03-25-2018
03:21 AM
Hi,
I want to setup an alert on my search given below:-
index="foo" source="/servers/logs/access.log" | rex "\"(?<ConsumerIP>[^\"]+)\"\s+(?<RequestTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?<HttpMethod>[^\s]+)\s(?<EndpointURI>[^\s]+)\s(?<ResponseCode>\d+)\s(?<ServerInfo>[^\s]+)\s(?<GatewayIP>[^\s]+)\s(?<Ecid>[^\s]+)\s(?<ResponseTime>.+)" | stats count as TotalHits by EndpointURI
Alert Settings:-
Alert: DOH-PersonProfile Alert
Description:Optional
Alert type: Scheduled
Run on Cron Schedule
Time Range: Last 1 day
Cron Expression: */5 * * * *
Trigger Conditions
Trigger alert when Custom search count>1000
Trigger: Once
Trigger Actions
When triggered
Send emai To abc@company.com
Priority: High
Subject: Splunk Alert: $result.TotalHits$
Total number of requests received are : $requests.TotalHits$
Type: HTML & Plain Text
Why is not the alert working? Could anyone help me with this?
... View more
03-14-2018
10:27 PM
Before asking the question, here is a brief description of what I have done and doing.
Below query is working fine which returns the results as I need them:-
index="test" | rex "\"(?[^\"]+)\"\s+(?\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?[^\s]+)\s(?[^\s]+)\s(?\d+)\s(?[^\s]+)\s(?[^\s]+)\s(?[^\s]+)\s(?.+)" | stats values(EndpointURI),count as TotalHits count(eval(ResponseCode!=200)) as ErrorCount max(eval(ResponseTime*1000)) as MaxResponseTime min(eval(ResponseTime*1000)) as MinResponseTime avg(eval(ResponseTime*1000)) as AvgRT by EndpointURI ConsumerIP | eval AvgRT=round(AvgRT,2) | rename AvgRT as AvgResponseTime | lookup ConsumerIPLookup ConsumerIP OUTPUT ConsumerName | lookup EndpointURILookup EndpointURI OUTPUT Provider,ServiceName,Version | streamstats count as "S.No" | fields S.No,Provider,ServiceName,Version,ConsumerName,TotalHits,ErrorCount,MaxResponseTime(ms),MinResponseTime(ms),AvgResponseTime(ms)
Result of the above query:-
1 Provider1 Service1 1.0 Consumer1 3 1 572 220 396.67
2 Provider1 Service1 1.0 Consumer2 3 1 50 25 300.00
3 Provider1 Service1 1.0 Consumer2 7 4 100 50 200.00
4 Provider1 Service1 1.0 Consumer3 14 12 214 106 602.64
EndpointURILookup.csv contents:-
EndpointURI,Provider,ServiceName,Version
/abc/Provider1/Service1,Provider1,Service1,1.0
ConsumerIPLookup.csv Contents:-
ConsumerIP,ConsumerName
10.10.10.1,Consumer1
10.10.10.2,Consumer2
10.10.10.3,Consumer2
10.10.10.4,Consumer3
What i need to know how can I modify/update the result of my query so that it returns the sum of Totalhits for those ConsumerNames who have multiple ConsumerIPs. For example, in ConsumerIPLookup.csv, Consumer 2 has multiple IP and Consumer Name is "Consumer2", I need to sum so that one record should come calculating TotalHits,ErrorCount,MaxResponseTime,,MinReponseTime,AvgResponseTime.
The result should be like below:-
1 Provider1 Service1 1.0 Consumer1 3 1 572 220 396.67
2 Provider1 Service1 1.0 Consumer2 10 5 75 36 250.00
4 Provider1 Service1 1.0 Consumer3 14 12 214 106 602.64
How can i achieve this without losing any other stats? Is there any method to save csv lookup contents in a variable and use that variable to put condition and calculate the stats from my actual log?
... View more
03-14-2018
05:47 AM
I have a similar requirement and I do not think there is any answer to this question. This means we cannot modify a PDF. I do not need visualization in my report, I need to change the title of the PDF report file from "Splunk search result" to "Last week statistics". Can this happen or not?
May be anyone can help on this. @niketnilay or @MuS or @mayurr98
... View more
03-13-2018
10:54 PM
Thanks @valiquet but I got my query resolved by creating and using csv lookup.
... View more
03-13-2018
10:52 PM
Thank you deepashri_123, I tried the answer by harsmarvania57 and it worked for me.
... View more
03-13-2018
10:51 PM
Thank you @harsmarvania57, This worked pretty well.
... View more
03-11-2018
10:51 PM
Hi,
I have tried the above but this is not working for me. Could anyone please tell me why round function is not working for me.
... View more
03-08-2018
12:06 AM
Index 1 search result:-
Provider IP Version Count
Provider1 10.10.10.1 1.0 30
Provider1 10.10.10.2 1.0 40
Provider1 10.10.10.3 1.0 100
Provider2 10.10.10.2 1.0 50
Provider2 10.10.10.2 1.0 75
Provider2 10.10.10.6 1.0 81
Provider3 10.10.10.3 1.0 25
Provider3 10.10.10.3 1.0 92
Provider4 10.10.10.4 1.0 20
Index 2 search result:-
<IPDetails>
<Element1 Name="ABC">
<Service Version="1.0">
<Consumer EntityCode="Ent1">
<IP>10.10.10.1</IP>
<IP>10.10.10.2</IP>
<IP>10.10.10.3</IP>
</Consumer>
<Consumer EntityCode="Ent2">
<IP>10.10.10.4</IP>
<IP>10.10.10.5</IP>
</Consumer>
</Service>
</Element1>
<Element2 Name="DEF">
<Service Version="1.0">
<Consumer EntityCode="Ent1">
<IP>10.10.10.1</IP>
<IP>10.10.10.2</IP>
<IP>10.10.10.3</IP>
</Consumer>
<Consumer EntityCode="Ent3">
<IP>10.10.10.6</IP>
<IP>10.10.10.7</IP>
<IP>10.10.10.8</IP>
</Consumer>
</Service>
</API>
</APIDetails>
Could anyone advise me on how to replace the value of all IPs in IP field with second index's Consumer EntityCode, for example, "Ent1" should be replaced with 10.10.10.1 or 10.10.10.2 or 10.10.10.3, "Ent2" should be replaced with 10.10.10.4 or 10.10.10.5, "Ent3" should be replaced with 10.10.10.6 or 7 or 8?
... View more
- Tags:
- splunk-enterprise
03-07-2018
03:38 AM
I have a requirement to merge multiple lines that are by default broken into multiple events by indexer, and make one event before a specific line comes. The sample log file data is given below:-
2018-03-05 15:23:03.123 [ISC.0038.0002D] <-- abcd-efgh-ijkl
2018-03-05 15:23:03.234 [ISC.0038.0002D] <-- Length=550
2018-03-05 15:23:03.345 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.456 [ISC.0038.0002D] <-- Connection: 1
2018-03-05 15:23:03.567 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:03.678 [ISC.0038.0002D] <-- Length=600
2018-03-05 15:23:03.789 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.890 [ISC.0038.0002D] <-- Connection: 2
2018-03-05 15:23:04.321 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:05.432 [ISC.0038.0002D] <-- Length=600
2018-03-05 15:23:06.542 [ISC.0038.0002D] <-- Host: localhost:7001
props.conf:-
[source::/opt/saggw101/IntegrationServer/instances/default/logs/server.log*]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3}\s[\w{3}.\d{4}.\d{4}\w{1}]\s\W{3}\s\w{4}:\s\w{9}:\d{4}
The above config is not working for me and the events that are created are multiple for each line. What I want is something like
Event 1:-
2018-03-05 15:23:03.345 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.456 [ISC.0038.0002D] <-- Connection: 1
2018-03-05 15:23:03.567 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:03.678 [ISC.0038.0002D] <-- Length=600
Event 2:-
2018-03-05 15:23:03.789 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.890 [ISC.0038.0002D] <-- Connection: 2
2018-03-05 15:23:04.321 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:05.432 [ISC.0038.0002D] <-- Length=600
Could anyone help me out with this?
... View more
- Tags:
- splunk-enterprise
03-05-2018
04:10 AM
Thank you @NiketNilay and @MuS!!
The problem was with the regular expression that was created by Splunk Field Extractor. Its working now.
... View more
02-28-2018
01:45 AM
Hi @Isaias.Garcia,
Did you get any solution for your question? I am also having the same trouble. Could you please advise on this?
... View more
02-27-2018
02:02 AM
@niketnilay
Could you please briefly explain what is to be done here?
... View more
02-26-2018
03:11 PM
Hi Mus,
Its copy paste gone wrong. I pasted the query with groups but I think it got omitted at the time of posting. Anyway, I have got a regex with which I can extract a part of the report like endpoint URI and total hit counts.
However, I need help in creating full report. please advise.
... View more
02-26-2018
02:37 PM
Thank you for your reply Niket.
However, I am not receiving any result for this search. How is the value of status defined. What is status? Is it a variable?
I am using below query with a regex for the log data with which i can at least receive the hit count per Endpoint URI. But my requirement is like mentioned in the question. please advise.
index="abcd" source="def" | rex _raw="^(?P[^\t]+)\t(?P[^\t]+)\t(?P[^\t]+)\t(?P\w+)\t(?P[^\t]+)\t(?P\d+)" | chart usenull=f useother=f limit=0 count by EndpointURI | streamstats count as "SNo"
Can a regex be used for this report as well. If yes, please advise.
... View more
02-25-2018
05:03 AM
I have a report to generate which should have multiple fields for the data like below:-
"10.10.10.10" 2015-09-15 15:54:55 POST /services/service1 200
"10.10.10.20" 2015-09-15 15:55:55 POST /services/service2 200
"10.10.10.30" 2015-09-15 15:56:55 POST /services/service3 200
"10.10.10.10" 2015-09-15 15:57:55 POST /services/service1 200
"10.10.10.20" 2015-09-15 16:00:55 POST /services/service3 200
The output should be like a table:-
1. Serial Number :- 1, 2, 3, 4, 5
2. Endpoint URI :- /services/service1, /services/service1, /services/service2, /services/service3, /services/service3
3. Consumer :- Consumer1, Consumer2, Consumer3
4. Total Count per Consumer per EndpointURI
5. Error Count per Consumer per EndpointURI
Report should look like:-
Sr# EndpointURI ConsumerIP HitCount ErrorCount
1 /services/service1 10.10.10.10 100 3
2 /services/service1 10.10.10.20 0 0
3 /services/service1 10.10.10.30 150 1
4 /services/service2 10.10.10.10 640 2
5 /services/service3 10.10.10.20 10 0
How can I create something like above using chart, table or fields or any other commands in splunk search?
... View more
- Tags:
- splunk-enterprise
01-31-2018
10:59 PM
I tried with both configs, still I am not getting what is required. Anyway, Thank you for your support, I will try again to get to the desired requirement.
Really appreciate your support.
... View more
01-31-2018
10:15 PM
The screenshot is not accessible. Could you please share again?
... View more
01-31-2018
10:15 PM
Hi @harsmarvania57,
This is the same config that Adonio provided.
I tried this config but now the events are created not based on [2018-01-31T15:23:25.470+04:00] which was being picked without props.conf config earlier. Now, this config has scattered the events and displaying the results which are not at all good. My requirement is to create events based on [2018-01-31T15:23:25.470+04:00] not based on 2015-02-10T15:25:19Z. Please provide your inputs.
Note:- There is no space in the timestamp. The data begins with "[" only.
... View more
01-31-2018
10:00 PM
Hi Adonio,
Thank you for your support!!
i tried this config but now the events are created not based on [2018-01-31T15:23:25.470+04:00] which was being picked without props.conf config. Now, this config has scattered the events and displaying the results which are not at all good. My requirement is to create events based on [2018-01-31T15:23:25.470+04:00] not based on 2015-02-10T15:25:19Z. Please provide your inputs.
... View more
