Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Sureshp191
Sureshp191
Explorer
Member since:
06-13-2023
03-25-2024
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 06-13-2023 |
Activity Feed
- Posted Re: Is it possible to add "%" next to the value? on Dashboards & Visualizations. 03-25-2024 03:00 PM
- Posted Re: Is it possible to add "%" next to the value? on Dashboards & Visualizations. 03-25-2024 12:12 PM
- Posted Re: Is it possible to add "%" next to the value? on Dashboards & Visualizations. 03-21-2024 05:48 PM
- Posted Re: Is it possible to add "%" next to the value? on Dashboards & Visualizations. 03-21-2024 01:29 PM
- Posted Re: Is it possible to add "%" next to the value? on Dashboards & Visualizations. 03-21-2024 01:06 PM
- Posted Is it possible to add "%" next to the value? on Dashboards & Visualizations. 03-21-2024 11:49 AM
- Posted Adding tooltip, upon mouseover on a text to display, tooltip should show the full text. on Dashboards & Visualizations. 03-20-2024 12:46 PM
- Posted Re: How to remove comms and parenthesis on Splunk Search. 06-16-2023 10:53 AM
- Posted Re: How to remove comms and parenthesis on Splunk Search. 06-16-2023 07:41 AM
- Posted Re: How to remove comms and parenthesis on Splunk Search. 06-16-2023 07:34 AM
- Karma Re: How to remove comms and parenthesis for yeahnah. 06-16-2023 07:34 AM
- Posted Re: How to remove comms and parenthesis on Splunk Search. 06-14-2023 09:34 PM
- Posted How to remove comms and parenthesis? on Splunk Search. 06-14-2023 08:47 PM
- Tagged How to remove comms and parenthesis? on Splunk Search. 06-14-2023 08:47 PM
- Posted Re: Receiving an error in 'rex' command on Splunk Search. 06-14-2023 08:05 PM
- Tagged Re: Receiving an error in 'rex' command on Splunk Search. 06-14-2023 08:05 PM
- Posted Re: Receiving an error in 'rex' command on Splunk Search. 06-14-2023 02:33 PM
- Posted Why am I am receiving an error in 'rex' command? on Splunk Search. 06-14-2023 12:29 PM
- Posted Re: How get a total count based on the substring value on Splunk Search. 06-13-2023 09:22 PM
- Posted Re: How get a stats count and split a string to get a total count on Splunk Search. 06-13-2023 06:31 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-25-2024
03:00 PM
Still the same, result whether its eval or fieldformat format, result is same.
index=MyPCF
| fields server instance cpu_percentage
| eval cpu_percentage=round(cpu_percentage,2)
| eval server_instance = 'server' + "_" + 'instance'
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
| foreach * [| eval "<<FILED>>"=round('<<FIELD>>',2)."%"]
Then changed to the following and tried, same result
| foreach * [| eval "<<FILED>>"= "<<FIELD>>" ."%"]
| foreach * [| eval "<<FILED>>"= '<<FIELD>>' ."%"]
| foreach * [| eval "<<FILED>>"= <<FIELD>> ."%"]
_time
server_1
server_2
server_3
server_4
2024-03-25T16:00:00.000-0400
5.18
3
4.62
3.18
2024-03-25T16:05:00.000-0400
5.46
3.13
3.99
2.94
2024-03-25T16:10:00.000-0400
5.55
54.16
3.93
51.89
2024-03-25T16:15:00.000-0400
4.76
4.59
4.4
2.84
2024-03-25T16:20:00.000-0400
5.54
3.84
4.55
2.95
2024-03-25T16:25:00.000-0400
4.11
3.76
3.52
3.31
2024-03-25T16:30:00.000-0400
4.36
3.92
3.58
2.91
2024-03-25T16:35:00.000-0400
3.88
3.68
3.7
4.08
2024-03-25T16:40:00.000-0400
3.89
3.32
4.33
3.32
2024-03-25T16:45:00.000-0400
4.33
27.56
3.94
39.48
... View more
03-25-2024
12:12 PM
I tried both
index=MyPCF
| fields server instance cpu_percentage
| eval cpu_percentage=round(cpu_percentage,2)
| eval server_instance = 'server' + "_" + 'instance'
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
| foreach * [| fieldformat "<<FILED>>"=cpu_percentage . "%"]
And
index=MyPCF
| fields server instance cpu_percentage
| eval cpu_percentage=round(cpu_percentage,2)
| eval server_instance = 'server' + "_" + 'instance'
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
| foreach * [| eval "<<FILED>>"=cpu_percentage ."%"]
below is the output I get:
_time
Server_1
Server_2
Server_3
2024-03-25T14:00:00.000-0400
5.14
1.98
3.83
2024-03-25T14:01:00.000-0400
2.93
1.64
3.65
2024-03-25T14:02:00.000-0400
3.33
2.28
3.31
2024-03-25T14:03:00.000-0400
3.54
2.11
3.67
2024-03-25T14:04:00.000-0400
4.02
1.94
3.81
2024-03-25T14:05:00.000-0400
4.3
3.58
3.78
2024-03-25T14:06:00.000-0400
3.13
2.72
3.46
2024-03-25T14:07:00.000-0400
2.58
2.07
3.62
2024-03-25T14:08:00.000-0400
2.33
1.77
3.67
2024-03-25T14:09:00.000-0400
2.66
1.75
4.01
2024-03-25T14:10:00.000-0400
3.2
1.94
4.58
2024-03-25T14:11:00.000-0400
2.76
1.59
4.57
... View more
03-21-2024
05:48 PM
Thanks I tried both eval as well as fieldformat , still not getting the % appended.
... View more
03-21-2024
01:29 PM
Hi, Thanks for the reply, I am still learning splunk pardon for my ignorance. I tried as you mentioned
index=MyPCF
| fields server_instance cpu_percentage
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
| foreach * [| fieldformat cpu_percentage=round('cpu_percentage',2)."%"]
Still same result
Time
Server1
Server2
2024-03-21T15:00:00.000-0400
1.869638272
2.384320706
2024-03-21T15:01:00.000-0400
1.879958176
2.083629971
2024-03-21T15:02:00.000-0400
8.669585777
8.115720288
2024-03-21T15:03:00.000-0400
1.907194392
2.248362057
2024-03-21T15:04:00.000-0400
1.735136924
2.030363275
2024-03-21T15:05:00.000-0400
1.753416379
1.682836294
2024-03-21T15:06:00.000-0400
1.792363893
1.862924138
2024-03-21T15:07:00.000-0400
5.003060737
2.801886629
... View more
03-21-2024
01:06 PM
I tried this but getting the same result, % not getting uppended to cpu_percent value
index=MyPCF
| fields server_instance cpu_percentage
| foreach * [| eval cpu_percent=round('cpu_percentage',2)."%"]
| timechart mAX(cpu_percent) as CPU_Percentage by server_instance usenull=true limit=0
... View more
03-21-2024
11:49 AM
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87
2) I want to append "%" at the end of 2.87, like 2.87%
index=MyPCF
| fields server_instance cpu_percentage
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
Below is the current output I get:
_time
server1
sevrer3
server4
server5
2024-03-21 13:45:00
3.1049753795247880
2.6818978525900086
3.0970366478143334
2.6279363289367494
2024-03-21 13:46:00
2.9336478352933097
2.4579778020150926
2.9602531790679110
2.9074405642281490
2024-03-21 13:47:00
2.9608714340953393
2.5579155086951600
2.7920194409649772
3.2610313588043978
2024-03-21 13:48:00
3.5946875229937634
2.5006464331193965
3.1106486461269176
3.7073668015974173
2024-03-21 13:49:00
2.8303159134216944
3.5756938476048900
3.4757319466032990
2.9783098006952250
2024-03-21 13:50:00
3.0067950036354420
2.2524125280871740
3.0493445107055930
2.2877333705021860
2024-03-21 13:51:00
2.7526861431818790
2.5427731042748785
3.0946836167596232
2.7477304760698664
2024-03-21 13:52:00
3.4172636751835066
2.730991461075761
2.7698859629286040
2.6296901815909903
2024-03-21 13:53:00
2.5957496530754254
2.1086391909665694
2.6025759149116060
2.4142703772570730
2024-03-21 13:54:00
2.7321368209680920
2.5317849096196980
2.8368213301356677
3.0664957483386470
... View more
Labels
- Labels:
-
timechart
03-20-2024
12:46 PM
I have 4 panels in a single row due to this the texts in the y axis are compressed and shows as ser...e_0 instead of server_xyz_0. So when I mouse-over on ser...e_0, I want the tooltip to show the full name server_xyz_0. Please help. Thanks
... View more
Labels
- Labels:
-
panel
06-16-2023
10:53 AM
This is partial from raw "Results":{"Message":"InsertIntoDatabase Ended, PortfolioSymbol: 2MB5, Records: 455, Elapsed: 0.0869895","Elapsed":0,"TraceLevel":"Information"},
... View more
06-16-2023
07:41 AM
@yeahnah Thanks for the solution, even though I see 290 plus events but zero statics. Only when I give as below, I get 250 plus statics but with comma | rex "PortfolioSymbol: (?<PortfolioSymbol>[^\"]*) Records: (?<Records>[^\"]*) Elapsed: (?<Elapsed>[^\"]*)"
... View more
06-16-2023
07:34 AM
@yuanliu Thanks for the reply, as per your suggestion I replaced rex with kv, even though I got 250 plus events but zero statics index="myIndex" appname="myapp" msg.result.message ="*PortfolioSymbol:*"
| kv pairdelim="," kvdelim=":"
| stats values(Elapsed) AS Elapsed BY _time PortfolioSymbol, Records
| addcoltotals count
| rename count AS "Refresh Counts"
... View more
06-14-2023
09:34 PM
Sorry posted a wrong splunk query, here is the correct one index="myIndex" appname="myapp" msg.result.message ="*PortfolioSymbol:*" | rex "PortfolioSymbol: (?<PortfolioSymbol>[^\"]*) Records: (?<Records>[^\"]*) Elapsed: (?<Elapsed>[^\"]*)" | stats count BY PortfolioSymbol, Records, Elapsed | addcoltotals count | rename count AS "Refresh Counts" When I run the above query, I get the below results: InsertIntoDatabase Ended, PortfolioSymbol: 2MB5, Records: 317, Elapsed: 0.0500421 InsertIntoDatabase Ended, PortfolioSymbol: 2MB6, Records: 330, Elapsed: 0.0505221 InsertIntoDatabase Ended, PortfolioSymbol: 2MB7, Records: 417, Elapsed: 0.0508121 Below is the Statics tab output: PortfolioSymbol Records Elapsed 2MB5, 317, 0.0500421 2MB6, 330, 0.0505221 2MB7, 417, 0.0508121 How to remove the comms, Thanks
... View more
06-14-2023
08:47 PM
index="myIndex" app_name="myappName" My.Message = "*failed to retrieve the workOrder*" | rex "Order (?<Order>[^\s]+)" | stats count BY Order | addcoltotals count | rename Order AS "Order#", count AS "# of times failed"
on the Events tab, My.Message returns
Order 1AB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB5 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 2MB6 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 1MB7 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 1MB9 failed to retrieve the workOrder. Error DataBase mapping incorrect.
On the Statics Tab I see the below values
Order# (1AB5, (1MB1, (2MB6, 1MB7
1MB9
How to remove ( and ,
Thanks
... View more
- Tags:
- rex
Labels
- Labels:
-
rex
06-14-2023
08:05 PM
@richgalloway Thanks for the help, I tried index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*" | rex field=_raw "TradingSymbol\(s\): (?<TradingSymbols>[^,]+), ElapsedTime: (?<ElapsedTime>[^ ]+)" | table TradingSymbols, Elapsed Even though I see around 20 plus events but on the Statics tab its zero: output of msg.result.message on the events tab is: RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658 On the Statics tab I wanted to show as below TradingSymbols ElapsedTime 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, 12.3762658
... View more
- Tags:
- rex
06-14-2023
02:33 PM
Thanks for the reply, I tried the below one, I am not getting an error but Statistics output is 0 index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*" | rex field =msg.result.message "TradingSymbol(s): (?<TradingSymbol>[^\"]*) ElapsedTime: (?<ElapsedTime>[^\"]*)" | stats count BY TradingSymbol ElapsedTime If I give only the "ElapsedTime: (?<ElapsedTime>[^\"]*)" I am able to see the required output in the Statistics tab but having the two as above, Statistics output is 0 I am new to regex, please help to resolve this: msg.result.message is RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658 on the Statistics page, I want to display. TradingSymbol ElapsedTime
... View more
06-14-2023
12:29 PM
I am trying to use a similar splunk query: index="myIndex" appname="myapp" msg.result.message ="*TradingSymbol(s):*"
| rex "(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*," | stats count BY TradingSymbol(s), Elapsed I wanted to get them in a table as Date, PortfolioSymbol(s), ElapsedTime When I try to run it, I get the error Error in 'rex' command: The regex '(?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*,' does not extract anything. It should specify at least one named group. Format: (?<name>...). When I try the same in regexr.com, for the below output, (?<=TradingSymbol\(s\): )[\w-]+(?:, [\w-]+)*, able to highlight 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9,
RefreshAsyncjronized End, TradingSymbol(s): 2AC5, 3DE2, 5CE3, 4FA4, 1BM5, TEST-2AB6, TEST-2BA9, ElapsedTime: 12.3762658
Please help, Thanks
... View more
Labels
- Labels:
-
rex
06-13-2023
09:22 PM
Thanks, I got the output but symbolName AAPL is duplicated .
... View more
06-13-2023
06:31 PM
@yeahnah thanks when I ran the below one it worked, Thank you. The one I am working is slight different. The order# is Alphanumeric like 1AB5 I am querying index="myIndex" app_name="myappName" My.Message = "*failed to retrieve the workOrder*" the My.Message returns many strings dynamically and I am only looking for the string that contains "Order <Alphanumeric> failed to retrieve the workOrder. Error DataBase mapping incorrect." in this scenario, what should be the regex, please help. Order 1AB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect.
... View more
06-13-2023
05:29 PM
Hi @yeahnah Thanks for the solution but it didnt work. My.Message has various strings but the ones I am looking for are "*failed to retrieve the workOrder*", Please help me to understand what rex "(?<Order>\d+)" does on the Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect. I am looking for "Order#" , "# of times failed" in this case it should show Order# # of times failed 12345 2
... View more
- Tags:
- stats
06-13-2023
03:21 PM
Please help me, below is my query index="myIndex" app_name="myappName" My.Message = "*failed to retrieve the workOrder*"
This returns say 6 splunk events, with following message: Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 12666 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 12666 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 12771 failed to retrieve the workOrder. Error DataBase mapping incorrect.
Order 12888 failed to retrieve the workOrder. Error DataBase mapping incorrect. In the above-mentioned splunk query, 1) How I can get Total count using the stats to show visually 2) How to get the Order (eg 12345) and total count of a particular order? 3) How to get a table like below "Order#" # of times failed"
Thanks
... View more
06-13-2023
03:00 PM
Below is the splunk query, (My.Message has many various types of messages but the below one is what I wanted) index="myIndex" app_name="myappName" My.Message = "*symbolName:*" When I run the above query, I get the below results:
myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009
myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339
myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339 Please help on the following: 1) How to get the Total count of the query (Visualization) only for My.Message = "*symbolName:*" 2) How to split the string "myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009" 3) How to create a table for "symbolName", "Total Count", "ElapsedTime" (for example, symbolName: AAPL, Total Count = 2 and ElapsedTime = 0.0007348 (0.0002009 + 0.0005339) Thanks
... View more
