About Raj_Splunk_Ing

Raj_Splunk_Ing

as an example - there is only 1 space - it might be copy paste error that has 2 spaces - but it is only 1 space in it. Its only some times i get this extra space this is how i get the values in it Wed 4 Jun 2025 17:16:02 :161 EDT - sometimes extra space Wed 4 Jun 2025 17:16:02 :161 EDT - sometimes extra No extra space why do we have 2 \s*: and \s* - i think we just need 1 \s*: t=strptime(replace(ClintReqRcvdTime, "\s*:\s*", ":"), "%a %d %b %Y %H:%M:%S:%Q %Z")

Raj_Splunk_Ing

Thank you Rich, If i just remove the extra space that is in the strp function i should be ok eval date_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%m/%d/%Y") let me test this - thanks alot

Raj_Splunk_Ing

sometimes in this field i get an extra space (bold) so we had to add this line and an extra space in the calculated field also - i have to take 2 scenarios and for that we added this line | rex mode=sed field=ClintReqRcvdTime "s/: /:/" Wed 4 Jun 2025 17:16:02 :161 EDT Mon 2 Jun 2025 02:52:50 :298 EDT Mon 9 Jun 2025 16:11:05 :860 EDT Tue 10 Jun 2025 14:32:26:243 EDT Wed 11 Jun 2025 13:10:32:515 EDT Wed 11 Jun 2025 17:37:10:008 EDT in the calc field when i use the format - do i have to specify the space for :161 like eval date_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%m/%d/%Y")

Raj_Splunk_Ing

Hi, I have this search query where i aggregate using the stats and sum by few fields... When I run the query in splunk portal i see the data in the events tab but not in the stats tab. So I used the fillnull to see which fields are causing the problem. I noticed that these fields where i am using eval are causing the issue as i see 0 inside these columns after using fillnull | eval status_codes_only=if( (status_code>=200 and status_code<300) or status_code>=400,1,0) | search status_codes_only=1 | rex mode=sed field=ClintReqRcvdTime "s/: /:/" | eval date_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%m/%d/%Y") | eval year_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%Y") | eval month_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%b") | eval week_only=floor(tonumber(strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%d"))/7+1) | eval TwoXXonly=if(status_code>=200 and status_code <300,1,0) | eval FourXXonly=if(status_code>=400 and status_code <500,1,0) | eval FiveXXonly=if(status_code>=500 and status_code <600,1,0) | fillnull date_only,year_only,month_only,week_only,organization,clientId,proxyBasePath,api_name,environment,Total_2xx,Total_4xx,Total_5xx | stats sum(TwoXXonly) as Total_2xx,sum(FourXXonly) as Total_4xx,sum(FiveXXonly) as Total_5xx by date_only,year_only,month_only,week_only,organization,clientId,proxyBasePath,api_name,environment | table date_only,year_only,month_only,week_only,organization,clientId,proxyBasePath,api_name,environment,Total_2xx,Total_4xx,Total_5xx when i look at the field that i used to get the date_only, year_only, week_only column - i see data something like this in the events Wed 11 Jun 2025 22:57:34:396 EDT Wed 11 Jun 2025 22:56:43:254 EDT Wed 11 Jun 2025 22:56:34:466 EDT Wed 11 Jun 2025 22:56:28:404 EDT

Raj_Splunk_Ing

Hi tried to follow by adding this to the url at the end %20tz=America%2FNew_York&output_mode=csv" and in the headers headers = { 'Authorization': 'Basic AuthKey','Content-Type':'text/csv','tz':'(GMT-04:00) Eastern Time (US & Canada)' } this is not returning anything

Raj_Splunk_Ing

Rich, this is working too; it will cover both scenarios right? when there is no extra space in it?

Raj_Splunk_Ing

hi Rich, is reg much better than replace.. in my case looks like replace is working

Raj_Splunk_Ing

Hi, Sai, sometimes i dont get the extra space so i have to cover 2 scenarios will this only work when there is an extra space or it should take care of it when there is no extra space also as we are specifying the extra space in the format and removing

Raj_Splunk_Ing

tried trim(field) but it not help

Raj_Splunk_Ing

Hi, I have this field in this format and i am using eval to convert but sometimes there is an extra space in it after : Mon 2 Jun 2025 20:51:24 : 792 EDT - with extra space after hhmmss (space before 792) Mon 2 Jun 2025 20:51:24 :792 EDT - this is another scenario where there will be no space i have to get 2 scenarios in this eval - any help | eval date_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%m/%d/%Y")

Raj_Splunk_Ing

I noticed that i dont have splunk python SDK because in my python script i dont have import splunklib or import splunk.. i am using python script within the alteryx tool

Raj_Splunk_Ing

Hi, Thanks for your input where do i add this... in my search query this is how my URL looks like https://server/services/search/jobs/export?search=search%20index%3Dcfs_apiconnect_102212%20%20%20%0Asourcetype%3D%22cfs_apigee_102212_st%22%20%20%0Aearliest%3D-1d%40d%20latest%3D%40d%20%0Aorganization%20IN%20(%22ccb-na%22%2C%22ccb-na-ext%22)%20%0AclientId%3D%22AMZ%22%20%0Astatus_code%3D200%0Aenvironment%3D%22XYZ-uat03%22%0A%7C%20table%20%20_time%2CclientId%2Corganization%2Cenvironment%2CproxyBasePath%2Capi_name&&output_mode=csv

Raj_Splunk_Ing

Hi, any guidance on this..

Raj_Splunk_Ing

Hi Rick, same user. i did use the earliest and latest in the search query itself as filters. API is using the services/export

Raj_Splunk_Ing · ‎05-31-2025

when i look at the _time which is pulled through API values look like below _time 2025-05-30 10:28:06.234 UTC 2025-05-30 04:48:45.178 UTC 2025-05-30 16:33:09.755 UTC 2025-05-30 14:20:23.054 UTC

Raj_Splunk_Ing · ‎05-31-2025

when i look at the last row/record and look for _time the value it has is 2025-05-30 23:30:28.314 there is no record after this

Raj_Splunk_Ing · ‎05-31-2025

Hi, I have this very simple splunk search query and i was able to run in splunk search portal or UI and I am using the same search query API (using the same query but in the form of encoded URL) - what is the issue? I am getting total number of events as 164 in splunk portal but when i run the same query which is transted into encoded URL through python script i am getting 157 records/rows only... since this search is only for yesterday iam using earliest=-1d@d latest=-0d@d index=App001_logs sourcetype="App001_logs_st" earliest=-1d@d latest=-0d@d organization IN ("InternalApps","ExternalApps") AppclientId="ABC123" status_code=200 environment="UAT" | table _time, AppclientId,organization,environment,proxyBasePath,api_name the same exact query which is translated in encoded URL like https:// whole search query and when i run the python script in my desktop (my time zone is CST) i get only 157 records/rows I think there is something going on UTC and CST - this is what i see in splunk portal 164 events (5/30/25 12:00:00.000 AM to 5/31/25 12:00:00.000 AM) any guidance please?

Raj_Splunk_Ing · ‎05-28-2025

Hi Rich, since i am breaking them into separate columns - i used this using if condition | eval TwoXXonly=if(status_code>=200 and status_code <300,1,0) | eval FourXXonly=if(status_code>=400 and status_code <500,1,0) | eval FiveXXonly=if(status_code>=500 and status_code <600,1,0) | stats sum(TwoXXonly) as Total_2xx, sum(FourXXonly) as Total_4xx,sum(FiveXXonly) as Total_5xx by date_only, org,cId,pPath, apie,apiPct,envnt | table list of fieds say for ex; in my data today i dont have 300 events but if they show up tomorrow - do i need to explicitly filter them out as i dont need them at all - i have not used the status_code in by clause just confused - should i use the filter to explicitly exclude 300 ?

Raj_Splunk_Ing · ‎05-28-2025

Thank you Rick, exactly what i was looking for.. can i give you another scenario - just guide please i have a field in the same index i dont have to show it in the table but i have to use a case statement to sum or count the number of transactions status_code this will have values like 200, 201, 300, 302, 400,401, 500,502 i only need the count of events for all 200 all 400 all 500 only (dont need the one for 300) trying to get this into case statement

Raj_Splunk_Ing · ‎05-28-2025

Hi , I have this scenario where i am getting data from one of the index with 2 other specified filters like index=index_logs_App989 customer="*ABC*" org in ("Provider1","Provider2") i have one filed with the date values as below Tue 27 May 2025 15:26:23:702 EDT - from this i have to take out the time part and convert it into date like 05/27/2025 - so that i can use this to aggregate at the date or day only ... any guidance please

Raj_Splunk_Ing · ‎10-31-2024

Hi , Say the numbers are for every 15 minute timeframe - i want to see for the same on the next 15 minutes run and see if they are consecutive meaning the error repeated again sorry if i did not explain properly.. please let me know i can prepare a sample dataset

Raj_Splunk_Ing · ‎10-31-2024

Hi PickleRick, Thanks for looking into this.. Say i have this dataset with errors for a particular client, api ... i need to look for the error that is consecutive meaning it is repeating - say we are looking at the last 15 minutes Client/customer api_name _time error count Abc Validation_V2 2024 oct 29 10.30 10 Xyz Testing_V2 2024 oct 29 10.30 15 TestCust Testing_V3 2024 oct 29 10.30 20

Raj_Splunk_Ing · ‎10-30-2024

any suggestions please... i need to capture 2 datasets and see if there is anything that is repeating

Raj_Splunk_Ing · ‎10-29-2024

Hi All, Thanks for your time, I have a query for getting the number of errors for each client/customer, api_name,time etc index=index_api | stats count by customer,api_name, _time If i have the dataset like below - how do i take the snapshot of it and compare in the next 30 minute dataset Client/customer api_name _time count Abc Validation_V2 2024 oct 29 10.30 10 Xyz Testing_V2 2024 oct 29 10.30 15 TestCust Testing_V3 2024 oct 29 10.30 20 assuming these are for the last 30 mins... when i get to the next run say after 30 mins i want to see if the same dataset is repeated so that i can get the consecutive error count any guidance or helpful suggestions....

Raj_Splunk_Ing · ‎10-11-2024

figured out.. my column name had one upper case letter in it.....i think i need to slowdown from the Splunk..ing excitement 🙂😀

Posts	33
Solutions	0
Karma Given	4
Karma Received	0
Member Since	‎10-09-2024

Online Status	Offline
Date Last Visited	2 weeks ago

what is wrong with these evals....

eval to handle 2 scenarios

search results different between splunk UI/portal ...

remove timepart and convert to date so that i can ...

snapshot of 2 timeframes for the same query to loo...

convert eval into search using AND...

convert to datetime datatype and derive day,week,m...

please excuse... as it is very basic... AND in sea...

Re: what is wrong with these evals....

Re: what is wrong with these evals....

Re: what is wrong with these evals....

what is wrong with these evals....

Re: search results different between splunk UI/por...

Re: eval to handle 2 scenarios

Re: eval to handle 2 scenarios

Re: eval to handle 2 scenarios

Re: eval to handle 2 scenarios

eval to handle 2 scenarios

Re: search results different between splunk UI/por...

Re: search results different between splunk UI/por...

Re: search results different between splunk UI/por...

Re: search results different between splunk UI/por...

Re: search results different between splunk UI/por...

Re: search results different between splunk UI/por...

search results different between splunk UI/portal ...

Re: remove timepart and convert to date so that i ...

Re: remove timepart and convert to date so that i ...

remove timepart and convert to date so that i can ...

Re: snapshot of 2 timeframes for the same query to...

Re: snapshot of 2 timeframes for the same query to...

Re: snapshot of 2 timeframes for the same query to...

snapshot of 2 timeframes for the same query to loo...

Re: convert eval into search using AND...

Are you a member of the Splunk Community?