Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ManfredGrill
ManfredGrill
Explorer
Member since:
11-10-2015
01-19-2022
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 5 |
| Member Since | 11-10-2015 |
Activity Feed
- Posted Re: Combining 3 data sources with rolling ID on Splunk Search. 01-18-2022 07:00 AM
- Tagged Re: Combining 3 data sources with rolling ID on Splunk Search. 01-18-2022 07:00 AM
- Posted Combining 3 data sources with rolling ID on Splunk Search. 01-18-2022 03:07 AM
- Got Karma for Stability issues with db connect 2 'The read operation timed out'. 06-05-2020 12:47 AM
- Got Karma for Stability issues with db connect 2 'The read operation timed out'. 06-05-2020 12:47 AM
- Got Karma for Stability issues with db connect 2 'The read operation timed out'. 06-05-2020 12:47 AM
- Got Karma for Stability issues with db connect 2 'The read operation timed out'. 06-05-2020 12:47 AM
- Got Karma for Stability issues with db connect 2 'The read operation timed out'. 06-05-2020 12:47 AM
- Posted Re: How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 11:05 AM
- Posted Re: How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 08:06 AM
- Posted Re: How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 07:21 AM
- Posted How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 03:22 AM
- Tagged How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 03:22 AM
- Tagged How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 03:22 AM
- Tagged How to do a field lookup or another solution to overcome the join and subsearch result limitations? on Splunk Search. 06-08-2016 03:22 AM
- Posted Re: Stability issues with db connect 2 'The read operation timed out' on Splunk Search. 04-22-2016 02:15 AM
- Posted Re: Stability issues with db connect 2 'The read operation timed out' on Splunk Search. 01-18-2016 03:09 AM
- Posted Stability issues with db connect 2 'The read operation timed out' on Splunk Search. 11-27-2015 07:36 AM
- Tagged Stability issues with db connect 2 'The read operation timed out' on Splunk Search. 11-27-2015 07:36 AM
- Posted Re: How to calculate daily values from sum values on Splunk Search. 11-10-2015 07:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 5 | |||
| 0 |
01-18-2022
07:00 AM
Thank you very much for your help. The database is not allowed to be changed, no chance to add a generation column. But coalesce helps to get further (datasource="dsa" OR datasource="dsb" OR datasource="dsc") | eval commonid=coalesce(ID-A,ID-B,ID-C) | transaction commonid maxspan=1h for most entries this returns the correct data, but a some are missing and I don't understand why. e.g. (datasource="dsa" OR datasource="dsb" OR datasource="dsc") | eval commonid=coalesce(ID-A,ID-B,ID-C) | table commonid, ID-A, ID-B, ID-C | search commonid="12345" running this query for values of the last 30 days returns 3 rows, one from each datasource. These results are fine. commonid ID-A ID-B ID-C 12345 12345 12345 12345 12345 12345 but (datasource="dsa" OR datasource="dsb" OR datasource="dsc") | eval commonid=coalesce(ID-A,ID-B,ID-C) | table commonid, ID-A, ID-B, ID-C | search commonid="12345" | transaction commonid maxspan=1h returns nothing. All timestamps are within a few seconds. Bigger values for maxspan make no difference. Any idea?
... View more
- Tags:
- nge
01-18-2022
03:07 AM
Hi, various tables from a database are read by Splunk. I need to combine fields from all 3 datasources. The ID-fields contain the same value, but is rolled over after a fixed number of entries. This happens approx. every 3 month. The _time values are close together (within seconds or minutes), but they are not the same. datasource dsa _time, ID-A, field-a1, field-a2 datasource dsb _time, ID-B, field-b1, field-b2 datasource dsc _time, ID-C, field-c1, field-c2 Any suggestions on how to achive this? regards Manfred
... View more
Labels
- Labels:
-
join
-
subsearch
-
transaction
06-08-2016
11:05 AM
Hi somesoni2,
this works great and I think I understand how it works. This helped me to understand: http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/
There is a minor issue in your search. The CreationTime in the eventstats command needs to be lowercase. Maybe you can edit your answer for future reference.
Thank you
... View more
06-08-2016
08:06 AM
Hi, still not working.
https://onedrive.live.com/redir?resid=3B1173AAA8CCEC5A!19649&authkey=!ACDVJ7ZPyQAY4Sk&v=3&ithint=photo%2cpng
... View more
06-08-2016
07:21 AM
Thanks for the quick response. Unfortunately it's not working as required.
See the screenshots.
https://onedrive.live.com/redir?resid=3B1173AAA8CCEC5A!19647&authkey=!AM72rus3NXwuaOg&v=3&ithint=photo%2cpng
https://onedrive.live.com/redir?resid=3B1173AAA8CCEC5A!19648&authkey=!AJe-0jdq7WIcpsI&v=3&ithint=photo%2cpng
... View more
06-08-2016
03:22 AM
Hi,
I basically need to lookup the field creationTime in an object log for objects that show up in a request log. Using join/subsearch this works fine, but due to the join command returning only 10000 values, I need another solution.
table: request_log (3000000+ entries)
_time, run_id, object_id
2016-05-21 10:13:34, 1238, 342_1
2016-05-21 10:13:37, 1239, 4432
2016-05-21 10:13:43, 1240, erweww
2016-05-21 10:13:44, 1241, sdf4_1
2016-05-21 10:13:44, 1242, 342_1
2016-05-21 10:13:51, 1243, erweww
each object_id can/will exist multiple times
table: object_log (400000+ entries)
_time, object_id
2012-01-17 21:48:21, 342_1
2012-10-30 14:28:25, erweww
2014-09-23 07:41:12, sdf4_1
2015-11-02 10:08:55, 4432
Each item has a single entry
As a result I need the age of an item once it shows up in the request table.
desired result table
_time, object_id, creationTime, ageDays
21/05/2016 10:13:51.000, erweww, 2012-10-30 14:28:25, 1299
21/05/2016 10:13:44.000, 342_1, 2012-01-17 21:48:21, 1585
21/05/2016 10:13:44.000, sdf4_1, 2014-09-23 07:41:12, 606
21/05/2016 10:13:43.000, erweww, 2012-10-30 14:28:25, 1299
21/05/2016 10:13:37.000, 4432, 2015-11-02 10:08:55, 201
21/05/2016 10:13:34.000, 342_1, 2012-01-17 21:48:21, 1585
This is the query I'm using to build the result table:
source="requests_log.txt" | join type=left object_id [search source="object_log.txt" | eval creationTime=field1] | eval ageDays=round(((strptime(dt,"%Y-%m-%d %H:%M:%S") - strptime(creationTime,"%Y-%m-%d %H:%M:%S"))/86400),0)
The query in general works fine, but due to the limitaions of the number of results (10000) the results are mssing data.
That means many rows don't contain creationDate and ageDays values.
Limitations about subsearches.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsubsearches
There are some similar problems in Splunk answers, but so far I've been unable to adjust them. Maybe someone can lead me the way.
... View more
04-22-2016
02:15 AM
The System is running stable since 23/02/2016. (Knock on Wood).
These are the steps that I've done since my last update to this thread
Monitored the tcp Connections for some weeks
The splunk sever had around 80 - 100 open
The Oracle Server 310-330
Splunk Update to 6.3.3
DB Connect 2 Update to 2.1.3
d:\splunk\etc\system\default\web.conf
Splunkdconnectiontimeout Change from 30s to 60s
I can't say for sure what fixed the issue. Either one of the updates or the Splunkdconnectiontimeout Settings.
Let use know of your findings
... View more
01-18-2016
03:09 AM
I had already changed the value Splunkdconnectiontimeout in web.conf from 30s to 60s. This did not really help.
Sometimes the system runs fine for 2 weeks.
Yesterday the problem showed up again. Unfortunately I've missed the info about the servers running out of ports. I will keep an eye on the values from now on.
Actions I took since the problem started:
- updated db connect 2 to version 2.1.1
- updated splunk to version 6.3.2
- verified ojdbc.jar to fit to the Oracle version that is used
... View more
11-27-2015
07:36 AM
5 Karma
Hi,
I'm running Splunk 6.3.1, db connect 2.0.6. Splunk was updated 2 days ago. This problem already showed up with earlier versions of Splunk Enterprise.
I'm monitoring some tables in an Oracle db, remotely from the Splunk server.
The connection works fine for some days. All data is captured as expected.
At some time db connect can no longer connect to the splunk service. This starts multiple hours (20-50 hours) after I restart the Splunk service.
from dbx.log
11/27/2015 10:04:21 [ERROR] [init.py] Socket error communicating with splunkd (error=('The read operation timed out',)), path = https://127.0.0.1:8089/servicesNS/admin/splunk_app_db_connect/db_connect/connections/PS_diva_db
11/27/2015 10:04:23 [INFO] [mi_base.py] Caught exception Splunkd daemon is not responding: (u"Error connecting to https://127.0.0.1:8089/servicesNS/admin/splunk_app_db_connect/db_connect/connections/PS_diva_db: ('The read operation timed out',)",) in modular input mi_input://OBJECTS_VIEW. Retrying 1 of 6.
I've enable debugging for db connect, but cannot find any hint for this problem. Splunk log has no further info as well. Splunk itself seems to work fine. Once I restart the splunk service db connect is working again for some time.
Most data is captured via tail. The amount of data isn't that big.
Once this problem starts I cannot manage db connect via the Splunk web interface. After restarting the splunk service, the data inputs of db connect are all disabled.
The windows taks list shows multiple python interpreters open when this happens.
How can I dig deeper?
Any suggestions are welcome.
Thanks in advance
... View more
- Tags:
- splunk-enterprise
11-10-2015
07:40 AM
Hi Heinz,
This works just great.
Automatic creation of the new columns would be nice, but I can easily use this solution.
Thank you.
Manfred
... View more
11-10-2015
06:35 AM
Hi,
I have values that are a total sum of all data processed. I need to calculate the daily values from the daily sums.
Running the following search:
source=... | timechart span=1d eval(round(latest(USED_SPACE)/1024/1024)) as SpaceTB by Media
produces results like:
A B C D
2015-11-06 70.85 298.18 8.76 2.44
2015-11-07 71.28 298.78 8.78 2.44
2015-11-08 71.34 299.38 8.78 2.44
2015-11-09 71.36 299.43 8.78 2.50
..
I need a table that calculates the amount of data that was processed each day. That means to subtract the current value from the value of the previous day for each day (or other SPAN interval).
Results should look like
A B C D
2015-11-06
2015-11-07 0.43 0.6 0.02 0
2015-11-08 0.06 0.6 0 0
2015-11-09 0.02 0.05 0 0.06
..
Any suggestions?
Thank you
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-19-2022
07:23 AM
|
Karma from
