Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ibob0304
ibob0304
Communicator
Member since:
06-08-2016
06-05-2020
Community Statistics
| Posts | 61 |
| Solutions | 2 |
| Karma Given | 93 |
| Karma Received | 4 |
| Member Since | 06-08-2016 |
Activity Feed
- Karma Re: How to get the stats of multiple search string for woodcock. 06-05-2020 12:50 AM
- Karma Re: How to get the stats of multiple search string for aberkow. 06-05-2020 12:50 AM
- Got Karma for How to get the stats of multiple search string. 06-05-2020 12:50 AM
- Karma Re: How to trigger second search based on first search where condition for niketn. 06-05-2020 12:49 AM
- Karma Re: How to modify output based on condition applied to each rows for mayurr98. 06-05-2020 12:49 AM
- Karma Re: How to hide past events in the FIRST alert with -2h time window for Sukisen1981. 06-05-2020 12:49 AM
- Karma Re: How to create new rows using conditions. for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How to create a new column using the subsearch for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How to trigger map only when variable value exists? for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: How to trigger second search based on first search where condition for niketn. 06-05-2020 12:49 AM
- Karma Re: How to get the Maximum and Minimum time difference between the events for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How to get the Maximum and Minimum time difference between the events for woodcock. 06-05-2020 12:49 AM
- Karma Re: In a table using CSV data, how do we add "waitdays" to date and show in new column ? for Vijeta. 06-05-2020 12:49 AM
- Karma Re: How do I make a field value as a column heading? for Vijeta. 06-05-2020 12:49 AM
- Karma Re: How do I make a field value as a column heading? for renjith_nair. 06-05-2020 12:49 AM
- Karma Re: How do I make a field value as a column heading? for harishalipaka. 06-05-2020 12:49 AM
- Karma Re: How to get Splunk sendemail command to send multiple emails based on search results 2016 for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to use the result from one search in another search? for sundareshr. 06-05-2020 12:48 AM
- Karma How to get Splunk sendemail command to send multiple emails based on search results 2016 for ThomasControlw1. 06-05-2020 12:48 AM
- Karma Re: How to only index events that contain specific fields? for gcusello. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-18-2019
07:51 AM
1 Karma
I am trying to get the stats for the search keywords. My query will list the errors by time but it wont tell me how many errors came for each search string.
index=main source=*event* | search "NETWORK error" OR "OPS error" OR "NETSTAT ERROR" | bucket span=5m _time | stats count by _time
... View more
10-15-2018
12:11 PM
Is there any way to get the list of alerts created in Splunk last month or last week trended?
... View more
Labels
- Labels:
-
other
09-28-2018
07:38 AM
I would like to display weekday in the column heading.
|Search....
| eval weekday=strftime(now(),"%A")
Output
S.no | Daily | weekday
1 101 Thursday
2 210 Thursday
Desired Output
S.no | Daily (Thursday)
1 101
2 210
Tried xyseries and transpose but I couldn't find a way to flip only one column instead of the whole table.
... View more
09-24-2018
12:00 PM
Tried 60*24*60 and it worked.,
... View more
09-24-2018
11:37 AM
I have CSV data like below,
---------------------------------------------------
Date1 | WaitDays
---------------------------------------------------
9/24/2018 | 20
8/28/2018 | 160
7/13/2018 | 01
How do we add the waitdays to date and show in new column ?
| eval inputDate = relative_time(Date1, "%Y-%m-%d")
| eval expiring = inputDate + WaitDays
| eval expiring = strftime(expiring, "%Y-%m-%d")
I tried this, but it is not working as expected.
... View more
03-08-2018
11:12 AM
This query capture the id from logs and make a search in the database, when there is a id value in logs it works well, if there is no id value the map condition trigger an error
Error in 'map': Did not find value for required attribute 'id'.
query
index=*sourcetype=* "Invalid"
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))"
| table id
| where !isnull(id)
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"
Is it possible to trigger dbxquery only when there is a id value ?
... View more
03-05-2018
03:50 PM
Your query is freaking fast, I previously tried with join command which worked but gave me timeouts and used to took longer time.
Two doubts :
1. Is there a way to apply NOT condition in searchmatch? I want to search "error" and "timeout" strings like in the query, but don't want my error query to capture "fatal timeout" or "low memory ERROR" count.
... View more
03-05-2018
03:12 PM
It worked with join type left. Thanks
... View more
03-02-2018
06:56 AM
Error in 'makeresults' command: This command must be the first command of a search., When I defined |makeresults at the beginning it didnt returned any results. And removing the makeresults caused multiple repeated apps.
... View more
03-01-2018
09:37 PM
I have this query (thanks to somesoni2) which will scan the logs and say whether the sources has any log events or not.
Existing Query
index=saq source=*
| rex field=source "(?:\\\\\\172.168.1.1\\\Logs\\\Production\\\*\\\(?<Application>.+?(?=\\\))|(?:\\\\\\\172.168.1.2\\\Logs\\\(?<Application1>.+?(?=\\\))))"
| eval Apps = coalesce(Application, Application1)
| stats count by Apps
| append [| gentimes start=-1 | eval Apps="App1#App2#App3#App4...all app names here separated by #" | table Apps | makemv Apps delim="#" | mvexpand Apps | eval count=0 ]
| stats sum(count) as count by Apps
| eval hasevents= if (count>=1,"YES","NO")
Output
App count hasevents
----------------------------------------------------------
B2B 101 YES
Silverlight 95 YES
B2C 102 YES
Ldoc 40 NO
I want to run a sub search to get the errors count and wanted to add that errors count output to the main search output. So, I tried adding sub search to run similar query with error keywords for getting the errors count .
Query tried using join,
index=saq source=*
| rex field=source "(?:\\\\\\172.168.1.1\\\Logs\\\Production\\\*\\\(?<Application>.+?(?=\\\))|(?:\\\\\\\172.168.1.2\\\Logs\\\(?<Application1>.+?(?=\\\))))"
| eval Apps = coalesce(Application, Application1)
| stats count by Apps
| append [| gentimes start=-1 | eval Apps="App1#App2#App3#App4...all app names here separated by #" | table Apps | makemv Apps delim="#" | mvexpand Apps | eval count=0 ]
| stats sum(count) as count by Apps
| eval hasevents= if (count>=1,"YES","NO")
| join [search index=saq source=*
| search ("error" OR "Timeout")
| rex field=source "(?:\\\\\\172.168.1.1\\\Logs\\\Production\\\*\\\(?<Application>.+?(?=\\\))|(?:\\\\\\\172.168.1.2\\\Logs\\\(?<Application1>.+?(?=\\\))))"
| eval Apps = coalesce(Application, Application1)
| stats count by Apps
| append [| gentimes start=-1 | eval Apps="App1#App2#App3#App4...all app names here separated by #" | table Apps | makemv Apps delim="#" | mvexpand Apps | eval count=0 ]
| stats sum(count) as errorcount by Apps
| eval Errors= if (errorcount>=1,"YES","NO") ]
First, it took long time to return results, second the Apps names are repeated multiple times. So, I think I didn't make it correct. Is there any way to get the errors count from subsearch and add that to the main search to get the below output ?
Desired Output
App count hasevents Errors
----------------------------------------------------------------------------------------
B2B 101 YES Yes
Silverlight 95 YES NO
B2C 102 YES NO
Ldoc 40 NO NO
in short [hasevents column will scan for all logs, errors column only scan for specified errors.]
... View more
02-27-2018
02:33 PM
you are awesome. I used second one since all my sources are constant and it worked.
... View more
02-27-2018
01:40 PM
I have 6 sources, each application has it own source location. I used regular expression to get the app names from the sourcetype by trimming the not required keywords and backslash, which gives me the app names. These apps log events sometimes based on schedule not all the time.
| rex field=source "(?:\\\\\\172.168.1.1\\\Logs\\\Production\\\*\\\(?<Application>.+?(?=\\\))|(?:\\\\\\\172.168.1.2\\\Logs\\\(?<Application1>.+?(?=\\\))))"
| eval Apps = coalesce(Application, Application1)
It will output below if there are events, if no events then it wont output that app name.
App
-------------
B2B
Silverlight
B2C
Ldoc
Omega
Sigma
I counted the number of events in those apps
| stats count by Apps
output
App count
-----------------------------
B2B 101
Silverlight 95
B2C 102
Ldoc 40
I created another column saying has events in last 10minutes
| eval hasevents= if (count>=50,"YES","NO")
output
App count hasevents
----------------------------------------------------------
B2B 101 YES
Silverlight 95 YES
B2C 102 YES
Ldoc 40 NO
If you see, I am missing the rows Omega and Sigma. Because there are no events logged in those app. I want to show Omega and Sigma as well. If those apps(sources) really has events then It would return the real results, If it doesn't then it should show dummy row like below. I tried with if condition, but it is working for only 1 row and also making other Apps rows blank.
Desired Output
App count hasevents
----------------------------------------------------------
B2B 101 YES
Silverlight 95 YES
B2C 102 YES
Ldoc 40 NO
Omega 0 NO
Sigma 0 NO
... View more
02-26-2018
05:22 PM
That worked.. Thank you
... View more
02-22-2018
10:14 PM
I have a query that output below, Status column is generated based on if condition.
|eval Status = if(Quantity>10,Good,BAD)
Output
Name Quantity Status
pen 20 Good
book 13 Good
riddle 2 Bad
note 60 Good
Is it possible to apply if or any other conditions to each row ? like if pen Quantity is more than 1 then say Good,
if book Quantity is less than 10 is Bad ?. In short, applying conditions to each row instead of applying at one column level.
... View more
02-22-2018
09:52 PM
can you please provide the sample output too ? I couldn't get the >5 part
... View more
02-22-2018
01:01 PM
^ Will look from the starting
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 40
... View more
02-21-2018
05:42 PM
@nabeel652, I see you deleted your prior comment, which is fine. But, I would like to let you know that if there is no response to the answer then the person who posted might waited for long time looking for an answer and gave up after some days. And I am looking for an adhoc search. If you know then let me know the answer and I will appreciate it or else dont use words like shame, and this is not stackoverflow
... View more
02-21-2018
05:25 PM
Thanks Niket, I upvoted the answer. But, do you know if this can be done using ad- hoc search instead of dashboard ?
... View more
02-18-2018
07:04 PM
Sorry, changed the query. All I want is to show second query results based on first trigger condition
... View more
01-31-2018
12:30 PM
I have a dbquery alert which will trigger when first query has more than 250 records then second search will trigger using |map command.
| dbxquery connection=conn query="select * from db"
|where records>=250
|map maxsearches=1 search="dbxquery select query"
So, I am looking for an equivalent query that works for regular log events. I tried subsearch but it didn't worked well.
index=* source=* sourcetype=json
| where count < 100
| trigger second query when above condition agree
All I am trying is output the second query output results based on first query search condition.
... View more
01-23-2018
07:17 PM
It didn't worked. "Regex: missing closing parenthesis" I have added ) at the end and ran without error but only showed application from one path.
... View more
01-22-2018
06:25 AM
My alert runs at 8 AM, 10 AM, 12 PM daily when count < 500 , with a time frame of -2h@h to now.
So, at 8 AM report it shows stats from 6 AM to 8 AM because I gave as -2h@h.
At 10 AM, it shows the records from last 2 hours (8 AM to 10 AM).
At 12 PM, it shows the last -2 hours which is 10 AM to 12 PM.
Now, I want to hide the past 8 AM results in the first 8 AM alert. Like when it trigger at 8 AM first time in a day, it should not show 6 AM records count in it. it should only show 8 AM count.
Above logic should apply only for the first alert. 10 AM & 12 PM alerts should show all past -2h count like normal.
... View more
01-18-2018
01:30 PM
I am trying to extract one name from source using rex.
index=*source=* | rex field=source "\\\\\\\domain\\\prod\\\(?<Application>.+?(?=\\\))
Above query list me the application names from the source. But now I want to join another different source.
\\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\))"
So I tried joining both the rex to get the Application names.
index=* source=* | rex field=source "\\\\\\\domain\\\prod\\\(?<Application>.+?(?=\\\)) & \\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\))"
I thought it will extract the names from both the source locations but it is not working.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
