Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to generate timely fake event and compare with...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egonstep
Path Finder
10-03-2019
08:34 AM
Hello all, how do I create a timely dummy event (without using "|lookup" external file) to compare with the real generated events to show as a chart.
These logs are generated every 3 hours
_raw event example:
2017-09-04 02:07:00,630 LOG - Code for SERVICE is :1
2017-09-04 05:10:08,450 LOG - Code for SERVICE is :0
2017-09-04 11:05:44,230 LOG - Code for SERVICE is :0
And sometimes the event is not created, as the example shows the event for 08 am didn't occur, but I need to map it as well.
Current search:
base search
| rex "extracted event_time from _raw"
| eval Status = case(like(_raw, "%SERVICE is :0%"), "Success", like(_raw, "%SERVICE is :%"), "Failed")
| eval _time=strftime(strptime(event_time, "%Y-%m-%d %H:%M:%S"), "%Y/%m/%d %H:%M")
| chart count(Status) over _time by Status
Desired Result:
_time Success Failed No Event
2017/09/04 02:07 0 1 0
2017/09/04 05:10 0 1 0
2017/09/04 08:00 0 0 1
2017/09/04 11:05 0 1 0
I did use "| timechart" but the method doesn't show the exact event time.
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egonstep
Path Finder
10-04-2019
07:46 AM
Hello All,
So I did some code that returns the desired result.
base search
| rex "retrieve message from _raw "
| eval Time=strftime(_time,"%Y/%m/%d %H:%M:%S")
| convert timeformat="%Y/%m/%d - %H" ctime(_time) as defaultDate
| table defaultDate Time message
| append
[| gentimes start=08/01/17:14:00:00 increment=3h
| convert timeformat="%Y/%m/%d - %H" ctime(starttime) as defaultDate
| eval message="No Event"
| table defaultDate message
| search "base search"
| tail 1
| convert timeformat="%Y/%m/%d" ctime(_time) AS c_time
| fields c_time
| rename c_time as query] <= defaultDate]
| dedup defaultDate
| eval Time=if(isnull(Time), 'defaultDate', Time)
| eval Status = if(like(message, "%SERVICE is :0%"), "Success", if(like(message,"%SERVICE is :%"), "Failed", "No Event"))
| fields - defaultDate
| table Time Status
| chart count(Status) over Time by Status
The subsearch remove fake events where "earliest time from the _raw events <= defaultDate"
Feel free to improve the query.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egonstep
Path Finder
10-04-2019
07:46 AM
Hello All,
So I did some code that returns the desired result.
base search
| rex "retrieve message from _raw "
| eval Time=strftime(_time,"%Y/%m/%d %H:%M:%S")
| convert timeformat="%Y/%m/%d - %H" ctime(_time) as defaultDate
| table defaultDate Time message
| append
[| gentimes start=08/01/17:14:00:00 increment=3h
| convert timeformat="%Y/%m/%d - %H" ctime(starttime) as defaultDate
| eval message="No Event"
| table defaultDate message
| search "base search"
| tail 1
| convert timeformat="%Y/%m/%d" ctime(_time) AS c_time
| fields c_time
| rename c_time as query] <= defaultDate]
| dedup defaultDate
| eval Time=if(isnull(Time), 'defaultDate', Time)
| eval Status = if(like(message, "%SERVICE is :0%"), "Success", if(like(message,"%SERVICE is :%"), "Failed", "No Event"))
| fields - defaultDate
| table Time Status
| chart count(Status) over Time by Status
The subsearch remove fake events where "earliest time from the _raw events <= defaultDate"
Feel free to improve the query.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-03-2019
07:37 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egonstep
Path Finder
10-04-2019
07:15 AM
Thanks, yeah I did use the "| makecontinuous" command, but it doesn't show the exact time for the chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-03-2019
12:45 PM
Try this
base search
| rex "extracted event_time from _raw"
| eval Status = case(like(_raw, "%SERVICE is :0%"), "Success", like(_raw, "%SERVICE is :%"), "Failed")
| eval _time=strftime(strptime(event_time, "%Y-%m-%d %H:%M:%S"), "%Y/%m/%d %H:%M")
| timechart count(Status) by Status | addtotals
| eval "No Event"=if(Total>0, 0, 1) | fields - Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
egonstep
Path Finder
10-04-2019
07:14 AM
Thanks for your response, I did try to use your code but"| timechart" doesn't get the event_time date, return the counts for all as 0
Get Updates on the Splunk Community!
Introducing the Splunk Community Dashboard Challenge!
Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
