- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: extracting and creating dashboards
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extracting and creating dashboards
how to combine the following fileds and create a statical value of succesfull and failed call of the particular api by client id?
sample splunk log event:
1.INFO 2019-07-16 16:39:34,938 AFTER: IP_address=/xxxxxxxxx API_name=AAAAAAAAA server ip=RRRRRRR trace_ID=d24eea70-a809-11e9-9eb4-005056906aa7 location=en_US {http.reason=Bad Request, http.status=400, Content-Type=application/json;charset=UTF-8}
2.INFO 2019-07-16 16:39:34,809 client_ID: KKKKKK API_name: AAAAAAAA
just i want to create a dashboard that will show the number of successfull and failed using the client_ID?
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mammefen,
Try something like this :
Index=yourIndex | stats last(status) as status last(clientID) as clientID by API_name
Let me know if that works out for you.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi david,
thank you for your help
it worked in some extent but there are some null values of the client id for the corresponding status. I am thinking to join the events first and then do the stats. so, can you help on joining the two events?
Thanks,
mammefen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most welcome ! The search above does a join since it runs stats on a common field for both events.
Its faster than running a join command but if you would rather use that then it should look as follows :
Index=yourIndex event=firstEvent | join clientID [Index=yourIndex event=firstEvent]
You can find more info about the join command here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Join
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi david,
i appreciate your help. the following is the sample table i got by using your method.
status---client_id
1. 200----kkkk----API_name
2. 400----empty
3. empty------kkk
4. 403--------kkk
5. emptyk---empty
i am getting this kind of table by using your query . i do not want to get the empty related with the value . how can i exclude from the table? btw all the api names are listed correctly.
than you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mammefen what is the correlation between events 1 and 2? How does client_ID in 2nd event correlate to event 1?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the API name is the same for event1 AND 2 .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But API name will be same for multiple clients as well.
| makeresults | eval message= "Happy Splunking!!!"
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
