- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with the following query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with the following query?
Hello,
I am trying to calculate the RTT time of a host where the IP is in a different source, and the rtt time is in different source. The common field is a field extraction I have done, which is called ID
Source1 -Has hexa ip
index=abc sourcetype=xyz source=*back* *0x*
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
Source2- has RTT time which is an extracted field
index=msad sourcetype=snmp source=*MAX*
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
Sample event source1
SNMPv2-SMI::enterprises."9.9.42.1.3.2.1.8.2135576845.1109857196.1.1" = "0x0a160205"
Sample event source2
SNMPv2-SMI::enterprises."9.9.42.1.3.1.1.11.2020016708.1109857176.1.1.1" = "177"
The common field is the ID in the above event. The value is 1109857196. I want to get the RTT time ,IP and ID field in a table by combining these two sources, whose index and sourcetype are the same.
Thanks,
Vineeth
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=abc sourcetype=snmp ((source=*back* *0x* ) OR source=*MAX*)
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
| stats values(ip) as ip values(RTT) as RTT by ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
(index=abc sourcetype=xyz source=*back* *0x*) OR (index=msad sourcetype=snmp source=*MAX*)
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
| rex field=_raw "\"(?<RTT>[^\"]+)\"$"
| stats values(ip) as ip values(RTT) as RTT by ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @somesoni2
I tried your query but the RTT field is showing blank .Just a small change both the sourcetypes are same but sources are different
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your sample event 2, I'm taking "177" as RTT (which I'm assuming comes at end of the raw data). If that is not correct the you'd have to update the regex (2nd last line) for RTT.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
