cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
asharmaeqfx
Path Finder
Member since: ‎03-01-2020
‎02-24-2021
Community Statistics
Posts 15
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎03-01-2020
Activity Feed
Topics I've Started
View All

Display in range data based on application time ta...

by in Splunk Search
‎02-24-2021 07:19 PM
‎02-24-2021 07:19 PM
Hi Splunkers,   I am looking to display the data Product 1 Seconds                    Cumulative response %           running average            Volume of transactions <4.5 seconds <5.5 seconds <7.5 seconds <25 seconds >=30 seconds           100 Based on the below post i actually wrote the same thing and it works till 10 sec but not the same way as listed https://community.splunk.com/t5/Splunk-Search/Grouping-by-numeric-range/m-p/27498   My query looks like .....Search Query..... | eval frontEndLatency=frontEndLatency/1000 | sort 0 frontEndLatency | eventstats count as total | eval in_range=round(case(frontEndLatency<30, floor(2*frontEndLatency)/2+.5, frontEndLatency<10, ceil(frontEndLatency), frontEndLatency>=30,30.0),1) | streamstats count as cnt avg(frontEndLatency) as run_avg | stats first(total) as total last(run_avg) as run_avg max(cnt) as count count as cnt by in_range,product | sort 0 in_range | eval range=if(frontEndLatency>=30, ">= 30.0 sec","< "+tostring(in_range)+" sec") | eval pct=round(count/total*100,1) | eval run_avg=round(run_avg,1) | rename cnt as "Volume of Transactions" pct as "**bleep**. response %" run_avg as "Running Avg" | dedup range | table range "**bleep**. response %" "Running Avg" "Volume of Transactions" | where range ="< 4.5 sec" OR range ="< 5.5 sec" OR range ="< 7.5 sec" OR range ="< 25.0 sec" OR range="< 30.0 sec" It gives me the output as range **bleep**. response % Running Avg Volume of Transactions < 4.5 sec 4.7 1.3 2 < 5.5 sec 7.3 1.7 10 < 7.5 sec 26.5 2.8 21 But it does not gives the same table and thus i tried changing  floor(4*frontEndLatency)/2+.5 or floor(8*frontEndLatency)/2+.5 and it gives me the table but wrong figures.   Kindly advise as I am unable to understand what exactly is happening here? Also I tried rangemap but its not working. Thanks, Amit     ... View more
Labels

Re: Logs stopped from one of the server

by in Getting Data In
‎01-31-2021 04:53 PM
‎01-31-2021 04:53 PM
Hi All,   Thanks for your kind replies.   I have to delete some big logs and after that restarted the Splunk forwarder. It has been working since Friday. As per your suggestion i think it was because the amount of logs which were being forwarded seems to be quite big and did not allow it to be forwarder and queues were getting full.   Regards, Amit ... View more

Logs stopped from one of the server

by in Getting Data In
‎01-28-2021 08:38 PM
‎01-28-2021 08:38 PM
Hi Splunkers,   I am facing a strange issue like the splunk forwarder stopped forwarding data. I see the forwarder is working fine and as per the splunk logs I see The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data I tried restarting the indexers and forwarder. It works for a while and after that it stops.  Could you please advice. Thanks, Amit ... View more
Labels

Re: Spath or Xpath or regex to extract multiple va...

by in Dashboards & Visualizations
‎10-22-2020 06:01 PM
‎10-22-2020 06:01 PM
Thanks ITWhisperer  and to4kawa    I used the combination of both and it works fine Search query | rex mode=sed "s/.*(\<.*)/\1/ s/\<v1:document /#<v1:document /g" | eval _raw=replace(_raw,"v1:","") | xpath outfield=fee "/SubmitOrderResponse/documents/document/fee" | xpath outfield=gst "/SubmitOrderResponse/documents/document/gst"| xpath outfield=deliveryFee "/SubmitOrderResponse/documents/document/deliveryFee"| xpath outfield=memCode "/SubmitOrderResponse/context/user/memCode"| table fee,gst,deliveryFee,memCode, _time   Now my table is merging the multiple values in one row. And currently working on it.   Thanks for your help. Regards, Amit ... View more

Spath or Xpath or regex to extract multiple values...

by in Dashboards & Visualizations
‎10-21-2020 07:53 PM
‎10-21-2020 07:53 PM
Hi All,   I have a query to extract the from the xml log data -------------- 2020-10-22 11:29:23,712 INFO (default-workqueue-73) [com.xyz.uyt.eds.building.documents.btw.house] ID-apprdhgr001-co-dmz-33780-17w876834676-5-w87434 building-documents-vic:pull-order-orchestration-v1 pull Order Response : <v1:SubmitOrderResponse xmlns:v1="http://www.xyz.com/services/building/documents/btw/v1" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <v1:context> <v1:chnnlcd>06</v1:chnnlcd> <v1:user> <v1:memCode>5436</v1:memCode> <v1:brCode>7654</v1:brCode> <v1:usrCode>7634B</v1:usrCode> </v1:user> <v1:clientReferences> <v1:clientReference type="type0">1234 - amit</v1:clientReference> </v1:clientReferences> <v1:transaction> <v1:transactionDateTime>2020-10-22T11:29:00Z</v1:transactionDateTime> </v1:transaction> <v1:conversationId>2</v1:conversationId> </v1:context> <v1:documents> <v1:document sequenceNo="1"> <v1:identifer>67</v1:identifer> <v1:name>Reg Src Statement (Title)</v1:name> <v1:description/> <v1:organisations> <v1:authority> <v1:identifier>320</v1:identifier> <v1:name/> </v1:authority> </v1:organisations> <v1:fee>5.9</v1:fee> <v1:gst>0</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>5.9</v1:recoupmentFee> <v1:totalFeeExclGst>15.9</v1:totalFeeExclGst> <v1:totalGst>1</v1:totalGst> </v1:document> <v1:document sequenceNo="8"> <v1:identifer>75</v1:identifer> <v1:name>Index Search</v1:name> <v1:description/> <v1:organisations> <v1:authority> <v1:identifier>320</v1:identifier> <v1:name>Index Registry</v1:name> </v1:authority> </v1:organisations> <v1:fee>6.91</v1:fee> <v1:gst>0.63</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>0</v1:recoupmentFee> <v1:totalFeeExclGst>16.28</v1:totalFeeExclGst> <v1:totalGst>1.63</v1:totalGst> </v1:document> <v1:document sequenceNo="9"> <v1:identifer>238</v1:identifer> <v1:name>Plan Copy</v1:name> <v1:description/> <v1:organisations> <v1:authority> <v1:identifier>320</v1:identifier> <v1:name>Plan 8T6543</v1:name> </v1:authority> </v1:organisations> <v1:fee>5.84</v1:fee> <v1:gst>0</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>5.84</v1:recoupmentFee> <v1:totalFeeExclGst>15.84</v1:totalFeeExclGst> <v1:totalGst>1</v1:totalGst> </v1:document> <v1:document sequenceNo="10"> <v1:identifer>1</v1:identifer> <v1:name>=Tax Certificate</v1:name> <v1:description/> <v1:organisations> <v1:authority> <v1:identifier>34</v1:identifier> <v1:name>Revenue Cert</v1:name> </v1:authority> </v1:organisations> <v1:fee>20.27</v1:fee> <v1:gst>1.84</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>0</v1:recoupmentFee> <v1:totalFeeExclGst>28.43</v1:totalFeeExclGst> <v1:totalGst>2.84</v1:totalGst> <v1:serviceLevel> <v1:period>10</v1:period> </v1:serviceLevel> </v1:document> <v1:document sequenceNo="89"> <v1:identifer>80</v1:identifer> <v1:name>Information Certificate</v1:name> <v1:description/> <v1:organisations> <v1:authority> <v1:identifier>249</v1:identifier> <v1:name>Check</v1:name> </v1:authority> </v1:organisations> <v1:fee>35.690002</v1:fee> <v1:gst>3.24</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>0</v1:recoupmentFee> <v1:totalFeeExclGst>42.45</v1:totalFeeExclGst> <v1:totalGst>4.24</v1:totalGst> <v1:serviceLevel> <v1:period>5</v1:period> </v1:serviceLevel> </v1:document> <v1:document sequenceNo="26"> <v1:identifer>23</v1:identifer> <v1:name>Other Information</v1:name> <v1:description/> <v1:organisations> <v1:authority> <v1:identifier>698</v1:identifier> <v1:name>RIVER WATER</v1:name> </v1:authority> </v1:organisations> <v1:fee>87.04</v1:fee> <v1:gst>7.91</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>0</v1:recoupmentFee> <v1:totalFeeExclGst>89.13</v1:totalFeeExclGst> <v1:totalGst>8.91</v1:totalGst> <v1:serviceLevel> <v1:period>7</v1:period> </v1:serviceLevel> </v1:document> </v1:documents> <v1:details> </v1:details> </v1:SubmitOrderResponse> ----------------- Similar lines are there in the log files but the entries vary as per the record. Hence, I need to output to extract <v1:fee>97.99</v1:fee> <v1:gst>8.9</v1:gst> <v1:deliveryFee>11</v1:deliveryFee> <v1:deliveryGst>1</v1:deliveryGst> <v1:recoupmentFee>0</v1:recoupmentFee> <v1:totalFeeExclGst>99.09</v1:totalFeeExclGst> <v1:totalGst>9.9</v1:totalGst>   And show them in tabular format for each memcode, brcode and usrcode. I tried using spath and xpath and xmlkv but none of them are working as expected. With xmlkv, it shows only the last value or one value. The xpath and spath are not extracting any data as shown in my below queries   <main search> | xpath outfield=memCode "/v1:SubmitOrderResponse/v1:context/v1:user/v1:memCode" | table outfield, _time <main search> | spath outfield=v1:memCode path=v1:SubmitOrderResponse.v1:context.v1:user.v1:memCode | xmlkv| table outfield, _time   Can you please advise.   Thanks, Amit     ... View more
Labels

Re: Splunk query to join two searches

by in Splunk Search
‎10-21-2020 05:39 PM
‎10-21-2020 05:39 PM
Does not helps much. Can you suggest like how to perform join in normal scenario. ... View more

Splunk query to join two searches

by in Splunk Search
‎10-18-2020 11:13 PM
‎10-18-2020 11:13 PM
Hi Splunkers,   I have a complex query to extract the IDs from first search and join it using that to the second search and then calculate the response times index=xxxml source=module "matrix-v4" NOT host="xyz.dmz" NOT "somefield1" NOT "somefield2" "<nt3:overall-outcome>*</nt3:overall-outcome>" |where isnotnull(AccuiteCode) |xmlkv | eval MSUserid=AccessCode | eval source1="MS" | join ip [search index=xxxml source="/var/log/production.log" urlPath="/com/system*" "/org/system" NOT "somefield1" NOT "somefield2" | where isnotnull(accessCode) | eval ProdUserID=accessCode| eval source2="Prod"] | where source1="MS" AND source2="Prod" | eval responsetime = Latency/1000 | stats count(responsetime) as Requests avg(responsetime) perc50(responsetime) perc60(responsetime) perc70(responsetime) perc80(responsetime) perc90(responsetime) perc95(responsetime) perc99(responsetime) max(responsetime) by date_mday,date_month,rIdentifier,nt3:overall-outcome,accessCode  This query only returns the first matched content but we have thousands to rows for the first query. It somehow unable to join it. Kindly advise.   Thanks, Amit ... View more

Re: The subtraction of two counts in not working f...

by in Splunk Enterprise
‎10-05-2020 08:08 PM
‎10-05-2020 08:08 PM
Nailed it!! You are the best Thanks a ton for your response. ... View more

The subtraction of two counts in not working for m...

by in Splunk Enterprise
‎10-05-2020 06:22 PM
‎10-05-2020 06:22 PM
Hi Splunkers, I have a splunk search query  index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report" | dedup uuid | stats count(uuid) as TOTAL | append [ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1"  "conditions2" | dedup uuid | stats count(uuid) as FAIL] | eval SUCCESS=TOTAL - FAIL |stats list(TOTAL) as TotalTransactions, values(SUCCESS) as PASSED, list(FAIL) as FAILED | eval Availability=round((PASSED*100)/TotalTransactions,2)   I cannot see any value in SUCCESS and due to this no Availability. Somehow the subtraction is not working. My end goal is display a table to show the below TOTAL PASSED FAIL Availability   Can you please suggest why is not working? Thanks, Amit ... View more
Labels

Re: Field extraction does not work when the second...

by in Splunk Enterprise
‎10-05-2020 05:03 PM
‎10-05-2020 05:03 PM
Thanks ITWhisperer It is working fine. I applied it last tuesday and it works like a charm.   Appreciate it. Thanks, Amit   ... View more

Field extraction does not work when the second fie...

by in Splunk Enterprise
‎09-29-2020 12:23 AM
‎09-29-2020 12:23 AM
Hi Splunkers,   I have set up a field extractor and it does not work when the log entry is empty. For e.g Field extraction syntax is --------------------------- (?:[^=\n]*=){9}"(?P<frontEndLatency>\d+)"\s+\w+="(?P<backEndLatency>\d+) -------------------------- Log messages --------------------- blah blah contentType="text/xml" frontEndLatency="587" backEndLatency="391" messages= blah --------------- It extracts correctly  frontEndLatency="587" and backEndLatency="391" If somehow in the log file one of the field is empty, it does not extracts properly Log Messages -------------  blah blah contentType="text/xml" frontEndLatency="1795" backEndLatency="" messages= blah blah -------------- How to set this up or handle it via field extraction? Your help is much appreciated. Thanks,   ... View more
Labels

Enable TLS1.2 for splunk 6.5.3

by in Security
‎06-01-2020 07:41 PM
‎06-01-2020 07:41 PM
Hi Splunkers, I am receiving a vulnerability on all my splunk servers saying that Issue The PCI Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2. Resolution Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers for ports 2222 and 443 I tried looking into some files within splunk like outputs.conf, inputs.conf, server.conf etc https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/AboutTLSencryptionandciphersuites I am unsure which files needs to be changed and is it the same process on indexes, deployment server, forwarders and search heads. Could you please suggest? Note: I tried changing the server.conf file on the search heads and restarted the splunk processes but it did not helped. I added the below line sslVersions = tls1.2 and tested it via the below command but i see still its running tlsv1 openssl s_client -connect xxxxx002:443 -tls1 Thanks, Amit ... View more
Labels

Re: Splunk query to exclude the searched strings b...

by in Splunk Search
‎03-04-2020 11:25 PM
‎03-04-2020 11:25 PM
This works and displays the same result. But my requirement is there are five strings and i need see from the query and check if they are missing. Currently i need the keywords in a column and one more column shows whether it exists or not Keywords/Filenames FileExists string_1L_2 Yes string_1L_21 No string_1L_22 Yes string_1L_23 No string_1L_25 Yes ... View more

Re: Splunk query to exclude the searched strings b...

by in Splunk Search
‎03-03-2020 06:49 PM
‎03-03-2020 06:49 PM
yes but i still does not show me missing files. Rather all the files which came fine. ... View more

Splunk query to exclude the searched strings based...

by in Splunk Search
‎03-01-2020 07:09 PM
‎03-01-2020 07:09 PM
Hi Splukers, I have a requirement to search for some filenames and display the missing files as per the date. Thus, i made up a query to look like index=123 host=htrstef87 "string_1," "created" NOT client_ip="192.168.17.5" "String_examp_*" "xml.7z.pgp" | eval keyword=case(searchmatch("string_1L_2"),"string_1L_2",searchmatch("string_1L_21"),"string_1L_21",searchmatch("string_1L_22"),"string_1L_22",searchmatch("string_1L_23"),"string_1L_23",searchmatch("string_1L_24"),"string_1L_24") | eval Filestatus=if(like(keyword, "string_1L%"), "fileFound", "Filenotfound") |eval DateReport= date_month."-".date_year| stats values(keyword), values(FileName), values(Filesize) by DateReport | where Filesize>0 This displays all the filenames with all the data. But the requirement is to match the keyword and check them every month at certain date and send them if any files are missing or no bytes (filesize). Any help is much appreciated. note: I am running splunk 6.5.3 and thus queries like where(in) does not work for me. Thanks, Amit ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-24-2021 11:20 PM
Karma given to