cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Nidd
Path Finder
Member since: ‎02-15-2018
‎03-22-2023
Community Statistics
Posts 37
Solutions 0
Karma Given 14
Karma Received 2
Member Since ‎02-15-2018
Activity Feed
Topics I've Started
View All

How to check if the events count is greater than t...

by in Alerting
‎03-22-2023 08:22 AM
‎03-22-2023 08:22 AM
Requirement: I have a ton of events and I need to create an alert that keeps monitoring my job for the number of events it processed for the last 1 hour. It should alert whenever the events count exceeds a specific threshold. I have the below query framed. But it is not showing results at all, even when there are results to be shown.   index=myIndex "myJob" earliest=-1h latest=now | stats count as eventsCount by _time | where eventsCount > 5000   Where am I making a mistake? Please help. ... View more
Labels

Stats for multiple fields in the same table?

by in Splunk Search
‎03-01-2023 11:05 AM
‎03-01-2023 11:05 AM
I have logs like below:     { [-] TransactionName: "my TransactionName" type1Error: NA eventTime: 2023-02-28 11:16:52.961 type2Error: NA type3Error: NA } { [-] TransactionName: "my TransactionName" type1Error: NA eventTime: 2023-02-28 11:16:52.961 type2Error: Missing Field type3Error: NA }     I have framed a below query:     index=my_idx | stats count by type1Error, type2Error, type3Error     Which gives me result like:     --------------------------------------------------------- type1Error type2Error type3Error count --------------------------------------------------------- NA NA NA 1 NA NA Missing Field 1 ---------------------------------------------------------     But then, it would be better if I can bring it for success and failures separately. Like: Create 2 new queries for errors with NA and not NA: NA:     ---------------------------------------------------- Success count ---------------------------------------------------- type1Error 2 type2Error 2 type3Error 1 ----------------------------------------------------     Not NA:     ---------------------------------------------------- Failure count ---------------------------------------------------- type1Error 0 type2Error 0 type3Error 1 ----------------------------------------------------     How can we achieve this? Not getting a clear picture on how to frame a query for this. Tried using chart, but no luck !! ... View more
Labels

Re: How to rename search results obtained in stats...

by in Splunk Search
‎02-27-2023 06:25 PM
1 Karma
‎02-27-2023 06:25 PM
1 Karma
Thanks much @richgalloway  !! It worked! ... View more

How to rename search results obtained in stats?

by in Splunk Search
‎02-27-2023 10:47 AM
‎02-27-2023 10:47 AM
I have the following query created:     index=my_idx source=mySource | stats count by sourceTopic     Which gives me result like:     MY/EVENTS/EV1/TYPE1 | 16170 MY/EVENTS/EV1/TYPE2 | 3558 MY/EVENTS/EV1/TYPE3 | 419 MY/EVENTS/EV2/TYPE1 | 123391 MY/EVENTS/EV2/TYPE2 | 16734 MY/EVENTS/EV2/TYPE3 | 880     But I would need my result like:     TYPE1 EV1 | 16170 TYPE2 EV1 | 3558 TYPE3 EV1 | 419 TYPE1 EV2 | 123391 TYPE2 EV2 | 16734 TYPE3 EV2 | 880     How would I achieve this? How can I rename my values that I obtain in stats? ... View more
Labels

Why are fields getting trimmed while fetching?

by in Splunk Search
‎01-20-2023 05:42 AM
‎01-20-2023 05:42 AM
I have some error logs like below:     TYPE=ERROR, DATE_TIME=2022-12-31 03:30:27,281, CLASS_NAME=myClass, METHOD_NAME=myMethod, message=unknown error while fetching recordsjavax.net.ssl.SSLHandshakeException: General SSLEngine problem TYPE=ERROR, DATE_TIME=2023-01-19 00:38:09,013, CLASS_NAME=myClass, METHOD_NAME=myMethod, message=unknown error while fetching recordsjava.lang.IllegalStateException: could not create the default ssl context     I need to get the message field of these logs and to sort them based on _time. I am trying the below queries to get the same. Query 1:     index="myIndes" host=myHost source="/my/app/location/app.log" TYPE=ERROR | extract pairdelim=",|" kvdelim="=" | table message | sort _time     Query 2:     index="myIndes" host=myHost source="/my/app/location/app.log" TYPE=ERROR | rex "^(?:(?<message>[^,]*),){7}" | table message | sort _time     But for both these queries, my response looks like below. Instead of getting the entire message field, I am getting just the first word.     -------- message -------- unknown     Please help on how to achieve this. ... View more
Labels

Alert query not triggering an alert

by in Alerting
‎08-18-2021 04:31 AM
‎08-18-2021 04:31 AM
Hi, I have a sample log like below, for which I have created an alert which triggers if the Expiration Date is greater than current date.  LOGS: Date : 17/08/2021 12:15:44 Build Number : 3274 Database Date : 2021-07-15 Expiration Date : 2021-08-17 License Expiration Date : 2021-08-17   MY QUERY: index=myIdx source="/my/logs/catalina.out" linecount=4 | regex _raw = ".*\sExpiration Date\s.*" | rex max_match=0 "^(?<lines>.+)\n+" | eval buildNumber=mvindex(lines,0) | eval expirationDate=mvindex(lines,2) | fields - lines | eval expirationDateVal = mvindex(split(expirationDate,":"),1) | eval buildNumberVal = mvindex(split(buildNumber,":"),1) | eval expiredConvert = strptime(expirationDateVal,"%m-%d-%Y") |eval expiredConvertDiffFormat = strptime(expirationDateVal,"%Y-%m-%d") | eval remDays =round((expiredConvert-now())/86400) | eval remDaysDiffFormat =round((expiredConvertDiffFormat-now())/86400) | where ( remDays <= 15 and remDays != "" ) or ( remDaysDiffFormat !="" and remDaysDiffFormat <= 15 ) | rename remDays as numDays remDaysDiffFormat as numDaysDiffFormat host as host |eval remainingDays =case(numDays!="",numDays,numDaysDiffFormat!="",numDaysDiffFormat)| where remainingDays > 0 | table remainingDays,host,buildNumberVal,expirationDate   Somehow, this query is not pulling up the logs. Is there something which I am missing in my query? The alert should have triggered yesterday. But it hasn't. Kindly help.   Thanks in advance. ... View more
Labels

Re: Extract specific fields from unstructured logs

by in Splunk Search
‎05-04-2021 07:31 AM
‎05-04-2021 07:31 AM
Thank you very much ITWhisperer !! 🙂 Worked !! ... View more

Extract specific fields from unstructured logs

by in Splunk Search
‎05-02-2021 09:24 PM
‎05-02-2021 09:24 PM
I have a list of unstructured logs like below for which I have to extract certain fields. Tried using "Extract fields" option to pull these fields but not receiving the results as expected. Can someone please help on a way to achieving this through Splunk search query itself? Fields to be extracted: 1. myemail@site.com 2. my-pipeline 3. JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: ORA-01017: invalid username/password; logon denied Logs:   2021-05-02 11:21:13,663 [user:*myemail@site.com] [pipeline:my-pipeline (SCH Test Run)/testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com] [runner:] [thread:ProductionPipelineRunnable-testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com-my-pipeline (SCH Test Run)] [stage:] ERROR JdbcSource - Cannot connect to specified database: com.streamsets.pipeline.api.StageException: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: ORA-01017: invalid username/password; logon denied com.streamsets.pipeline.api.StageException: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: ORA-01017: invalid username/password; logon denied 2021-03-01 04:18:26,910 [user:*myemail@site.com] [pipeline:my-pipeline (SCH Test Run)/testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com] [runner:] [thread:ProductionPipelineRunnable-testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com-my-pipeline (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Listener refused the connection with the following error: ORA-12514, TNS:listener does not currently know of service requested in connect descriptor 2021-03-01 04:43:12,985 [user:*myemail@site.com] [pipeline:my-pipeline (SCH Test Run)/testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com] [runner:] [thread:ProductionPipelineRunnable-testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com-my-pipeline (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: The Network Adapter could not establish the connection com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: The Network Adapter could not establish the connection 2021-03-01 05:02:13,113 [user:*myemail@site.com] [pipeline:my-pipeline (SCH Test Run)/testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com] [runner:] [thread:ProductionPipelineRunnable-testRun__12a-23b-34c-45d-56d_site.com__myemail@site.com-my-pipeline (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: Unknown host specified com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: Unknown host specified     Thank you in advance. ... View more
Labels

Re: How to monitor and capture muliple scenarios i...

by in Alerting
‎03-02-2021 12:33 AM
‎03-02-2021 12:33 AM
Searches I use? Sorry. Didnt get you. ... View more

Re: How to monitor and capture muliple scenarios i...

by in Alerting
‎03-01-2021 11:56 PM
‎03-01-2021 11:56 PM
@ITWhisperer ..Yes..no issues in having 4 alerts.. But since we get the events from same server and same transaction, monitoring all the events in the same alert itself was what we have been given as a requirement. ... View more

How to monitor and capture muliple scenarios in sa...

by in Alerting
‎03-01-2021 11:03 PM
‎03-01-2021 11:03 PM
I have a requirement to monitor the below exceptions and send an alert through mail with few fields mentioned below. Since I'm not able to achieve this, I have created 4 individual alerts and have monitored this. But that isn't right. I wish to capture all these within the same alert. Below are sample logs.   TYPE 1: INVALID USERNAME/PASSWORD     2021-03-01 03:36:02,233 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipeline-name (SCH Test Run)] [stage:] ERROR HikariPool - HikariPool-7333 - Exception during pool initialization. java.sql.SQLException: ORA-01017: invalid username/password; logon denied       TYPE 2: INVALID SERVICE     2021-03-01 04:18:26,910 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipeline-name (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Listener refused the connection with the following error: ORA-12514, TNS:listener does not currently know of service requested in connect descriptor       TYPE 3: INVALID PORT     2021-03-01 04:43:12,985 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipeline-name (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: The Network Adapter could not establish the connection com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: The Network Adapter could not establish the connection       TYPE 4: INVALID HOST     2021-03-01 05:02:13,113 [user:*myemail@temp.com] [pipeline:my-pipeline-name (SCH Test Run)/testRun__1234__temp.com__myemail@temp.com] [runner:] [thread:ProductionPipelineRunnable-testRun__1234__temp.com__myemail@temp.com-my-pipelin-name (SCH Test Run)] [stage:] ERROR ProductionPipelineRunnable - An exception occurred while running the pipeline, com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: Unknown host specified com.streamsets.datacollector.runner.PipelineRuntimeException: CONTAINER_0800 - Can't start pipeline due 1 validation error(s). First one: JDBC_06 - Failed to initialize connection pool: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: IO Error: Unknown host specified   Below are the fields to capture: pipeline - Which is : my-pipeline-name Exception - Which are : 1. invalid username/password; logon denied, 2. TNS:listener does not currently know of service requested in connect descriptor 3. The Network Adapter could not establish the connection 4. Unknown host specified   Please help in achieving this. ... View more
Labels

Re: Retrieve result from list

by in Splunk Search
‎02-09-2021 01:09 AM
‎02-09-2021 01:09 AM
Thank you @isoutamo  ... View more

Re: Retrieve result from list

by in Splunk Search
‎02-09-2021 01:08 AM
‎02-09-2021 01:08 AM
Thank you @scelikok  ... View more

Retrieve result from list

by in Splunk Search
‎02-08-2021 11:56 PM
‎02-08-2021 11:56 PM
I have a field in log like: "policies":["Test1"] for which I am not able to search through the keyword when I have the query: index=myindex host=myhost policies=Test1   Since policies is a list and I cant be able to directly search it. Is there any specific way I can search for inputs available in a list? ... View more
Labels

Re: Pull a field through regex

by in Getting Data In
‎01-15-2021 03:12 AM
‎01-15-2021 03:12 AM
Thank you very much @gcusello ! That worked ! 🙂 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-22-2023 02:49 PM
Karma from
View All
Karma given to