Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About subhrangshu
subhrangshu
Explorer
Member since:
07-29-2020
09-04-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 07-29-2020 |
Activity Feed
- Posted Re: Filter event data using conditions within the data on Splunk Search. 09-03-2020 11:03 PM
- Tagged Re: Filter event data using conditions within the data on Splunk Search. 09-03-2020 11:03 PM
- Karma Re: Filter event data using conditions within the data for richgalloway. 09-03-2020 10:55 PM
- Posted Filter event data using conditions within the data on Splunk Search. 09-03-2020 10:37 AM
- Tagged Filter event data using conditions within the data on Splunk Search. 09-03-2020 10:37 AM
- Posted Re: Eval a token value and pass it on a search on Splunk Search. 08-21-2020 01:19 AM
- Karma Re: Eval a token value and pass it on a search for yeahnah. 08-21-2020 01:17 AM
- Posted Re: Eval a token value and pass it on a search on Splunk Search. 08-20-2020 11:37 PM
- Posted Eval a token value and pass it on a search on Splunk Search. 08-20-2020 10:32 PM
- Posted Re: Populate drop down with eval values on Splunk Search. 08-20-2020 02:11 AM
- Karma Re: Populate drop down with eval values for Nisha18789. 08-20-2020 02:11 AM
- Posted Populate drop down with eval values on Splunk Search. 08-19-2020 11:28 PM
- Tagged Populate drop down with eval values on Splunk Search. 08-19-2020 11:28 PM
- Posted Re: Combine a numerical field with a string field separated with a dash on Splunk Search. 08-19-2020 08:00 AM
- Karma Re: Combine a numerical field with a string field separated with a dash for diogofgm. 08-19-2020 07:59 AM
- Posted Combine a numerical field with a string field separated with a dash on Splunk Search. 08-19-2020 07:38 AM
- Posted Measure Memory Available_Bytes using sai_metrics_indexes but within a time range on Splunk Search. 08-13-2020 11:35 PM
- Karma Re: Finding the diff of two time stamps is returning null/ empty value for richgalloway. 08-13-2020 11:14 PM
- Posted Finding the diff of two time stamps is returning null/ empty value on Splunk Search. 08-13-2020 04:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-03-2020
11:03 PM
Thanks @richgalloway Your solution works as I wanted. Just one more add on query to it, when we return EVENT, suppose I want to use the EVENT value in some other way in my main search. For example: If event =1, then my main search should be something like index=FOO AND source=some path\1\log.txt If event =2, then my main search should be something like index=FOO AND source=some path\2\log.txt Basically, I want to use the event value returned into my main search with some modification as stated above. Thanks again.
... View more
- Tags:
- @
09-03-2020
10:37 AM
Hello, I have some data which in the below form: JOB EVENT TYPE TIME 1 1 A 20 1 1 B 15 1 1 C 10 1 2 A 15 1 2 B 10 1 2 C 20 I want to filter the data only for those event which has the greater value of Type A. So, here in my example, Event 1 has value of A=20 and Event 2 has value of A=15. So, here Event 1 has value of A greater than value of A in Event 2. So I want to see the results of Event 1 only. My result should be something like below: JOB-NO EVENT TYPE TIME 1 1 A 20 1 1 B 15 1 1 C 10 Thanks in advance.
... View more
- Tags:
- search
08-20-2020
11:37 PM
Thanks a lot for your reply @yeahnah So, as per your suggestion my search query looks like this: index=test sourcetype="testabc" [ | makeresults | eval sre_job_id=replace("6720-Aug 04 2020, 16:05:04", "-.*", "") | return sre_job_id ] sre_job_id=sre_job_id Perf_Type=Perf* But this query returns me no result. But if I use this below search instead, I get data back: index=test sourcetype="testabc" sre_job_id=6720 Perf_Type=Perf* 6720-Aug 04 2020, 16:05:04: is the value that I got from drop down and was passed upon to this tabular report query from the token. Am I missing something here or doing anything wrong. Thanks again.
... View more
08-20-2020
10:32 PM
Hi, I have a dashboard where I have a drop down which returns me a string. The xml of the drop down is below: <input type="dropdown" token="jobID" searchWhenChanged="true"> <label>JOB ID II</label> <fieldForLabel>JOB-ID-WITH-TIME</fieldForLabel> <fieldForValue>JOB-ID-WITH-TIME</fieldForValue> <search> <query>index=test sourcetype="testabc" | rename sre_job_id as JOB_ID | stats earliest(_time) AS Earliest by JOB_ID | eval FirstEvent=strftime(Earliest,"%b %d %Y, %H:%M:%S") | eval JOB_ID_STR=tostring(JOB_ID) | eval JOB-ID-WITH-TIME=JOB_ID + "-" + FirstEvent | table JOB-ID-WITH-TIME | dedup JOB-ID-WITH-TIME | sort JOB-ID-WITH-TIME</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> </input> This drop down returns me data something like: 6802-Jul 20 2020, 10:41:14 (an ID with a date separated by a dash). Now, I have a tabular report where I want to use just the ID (6802) in the search for the report to show data. The xml for the tabular report is below: <table> <title>TOTAL TIME for JOB $jobID$</title> <search> <query>index=test sourcetype="testabc" sre_job_id=$jobID$ Perf_Type=Perf* | stats sum(Time_Taken) as NetTime_secs by Perf_Type | eval NetTime_mins=(NetTime_secs/60) | table Perf_Type, NetTime_mins | sort -Perf_Type <earliest>0</earliest> <latest></latest> The problem with the above query is sre_job_id=$jobID$ gets the whole value 6802-Jul 20 2020, 10:41:14 and hence do not shown any results, whereas it expects only 6802 to show some data. I tried to eval the token and split the token data but not able to use the split data into my search. This is what I have tried: index=test sourcetype="testabc" Perf_Type=Perf* [| makeresults | eval test="6802-Jul 20 2020, 10:41:14" | eval results=split(test,"-") | eval job_id=mvindex(results,0)] sre_job_id=job_id. For now tried hard coding the value, but no luck. Could someone please help on this. I hope the question is clear. Thanks in advance for your time.
... View more
08-19-2020
11:28 PM
Hello, Is it possible to populate drop down in Dashboard with eval values. I have a query as given below which returns me a string. index=test sourcetype="testabc" | rename sre_job_id as JOB_ID | stats earliest(_time) AS Earliest by JOB_ID | eval FirstEvent=strftime(Earliest,"%b %d, %Y %H:%M:%S") | eval JOB_ID_STR=tostring(JOB_ID) | eval JOB-ID-WITH-TIME=JOB_ID + "-" + FirstEvent | table JOB-ID-WITH-TIME | dedup JOB-ID-WITH-TIME | sort JOB-ID-WITH-TIME When I run this search with time as "Last 7 days", I get 3 records back. 7220-Aug 13, 2020 11:22:00 7320-Aug 13, 2020 11:46:32 7800-Aug 14, 2020 04:50:06 But when I use the same query in my drop-down in dashboard, I do not see any data. Below is the xml for the same: <input type="dropdown" token="jobIDII" searchWhenChanged="true"> <label>JOB ID II</label> <fieldForLabel>sre_job_id</fieldForLabel> <fieldForValue>sre_job_id</fieldForValue> <search> <query>index=test sourcetype="testabc" | rename sre_job_id as JOB_ID | stats earliest(_time) AS Earliest by JOB_ID | eval FirstEvent=strftime(Earliest,"%b %d, %Y %H:%M:%S") | eval JOB_ID_STR=tostring(JOB_ID) | eval JOB-ID-WITH-TIME=JOB_ID + "-" + FirstEvent | table JOB-ID-WITH-TIME | dedup JOB-ID-WITH-TIME | sort JOB-ID-WITH-TIME</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> </input> NOTE: timeToken is the token for DURATION. I also have a time input to filter the data for the above query in my dashboard. Please see the picture below: screenshot If you see above, JOB ID II is not populating any data and I cannot select anything from here. Thanks for your time in advance.
... View more
- Tags:
- eval
08-19-2020
08:00 AM
Thanks for the prompt reply. I don't know, how I missed this. Thanks again 😃
... View more
08-19-2020
07:38 AM
Hello, I am trying to combine couple of fields data separated by a dash. Tried few options but could not get the expected output. My query is: index=test sourcetype="test-abc" ("enter start()") | rename job_id as JOB_ID | stats earliest(_time) AS Earliest by JOB_ID | eval FirstEvent=strftime(Earliest,"%b %d, %Y %H:%M:%S") | eval JOB_ID_STR=tostring(JOB_ID) | eval JOB-ID-WITH-TIME=printf("%s%z", JOB_ID_STR,FirstEvent) In the above query: JOB_ID is a numerical data of length 4 digit. FirstEvent is string of time format of that event. Ex: JOB_ID = 9000 and FirstEvent = Jul 07, 2020 04:56:43 Using the above query and with printf function, JOB-ID-WITH-TIME is returned as 9000Jul 07, 2020 04:56:43. I want the output to be like 9000-Jul 07, 2020 04:56:43 (a dash between JOB_ID and FirstEvent). How to do it? Thanks in advance for your time!
... View more
Labels
- Labels:
-
eval
08-13-2020
11:35 PM
Hello, Trying to know, if it is possible to measure Memory Available using the sai_metrics_indexes. More details of the requirement is below: I have a process which starts and then runs for quite some time. I am able to get the start time and end time of that process run using the below query: index=test sourcetype="test:node" "processStart()" OR "processEnd()" | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval diff=Latest-Earliest | eval FirstEvent=strftime(Earliest,"%m/%d/%y %H:%M:%S") | eval LastEvent=strftime(Latest,"%m/%d/%y %H:%M:%S") | eval DiffEvent=strftime(diff,"%m/%d/%y %H:%M") | eval temp = tostring(diff,"duration") | eval NetTotalTime=replace(temp,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") | rename FirstEvent as ProcessStart, LastEvent as ProcessEnd | table ProcessStart, ProcessEnd, NetTotalTime ProcessStart returned from the above query is: 08/11/20 06:01:46 ProcessEnd returned from the above query is: 08/11/20 11:35:09 Now using this ProcessStart and ProcessEnd time, I want to find out my memory used, memory available during that time. In general I use the below query to find out the memory available: | mstats avg(_value) prestats=true WHERE metric_name="Memory.Available_Bytes" AND "index"="em_metrics" AND "host"="abc" AND `sai_metrics_indexes` span=10s | timechart avg(_value) AS Avg span=10s | fields - _span* Problem with the above query is that, it gives me the data according to the time range I specify in the time picker. Instead I want to search this query within my ProcessStart and ProcessEnd. Also, is it possible to use both the query in a single search so that I can generate a report from it. Hope the question is clear. Looking forward to hear from someone soon 😊
... View more
08-13-2020
04:27 AM
Hello, I am trying to find two events from my log with time into consideration, as earliest and latest. Next I am trying to find the total time by doing a diff between latest and earliest, but I am getting no data back. Here is how my query looks like: index=test sourcetype="test:node" "enter" OR "exit" | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval diff=Latest-Earliest | eval FirstEvent=strftime(Earliest,"%m/%d/%y %H:%M") | eval LastEvent=strftime(Latest,"%m/%d/%y %H:%M") | eval DiffEvent=strftime(diff,"%m/%d/%y %H:%M") | eval temp = tostring(round(strptime(Latest,"%m/%d/%y %H:%M") -strptime(Earliest,"%m/%d/%y %H:%M"),0),"duration") | eval NetTotalTime=replace(temp,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") | table FirstEvent, LastEvent, NetTotalTime, diff, Earliest,DiffEvent And here is what I get in my result: FirstEvent | LastEvent| NetTotalTime| diff| Earliest| DiffEvent 07/07/20 04:56 08/11/20 08:01 3035102.875 1594078003.853 02/05/70 08:35 FYI: I am only interested in FirstEvent, LastEvent, NetTotalTime (this is coming blank). The last 3 columns (diff, Earliest,DiffEvent) are just to show you how the data looks like. Hope to get an answer soon.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-04-2020
11:41 AM
|
