Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About stevenulbrich
stevenulbrich
Explorer
Member since:
10-17-2020
05-04-2021
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 2 |
| Member Since | 10-17-2020 |
Activity Feed
- Posted Combine 2 Queries that use the same Lookup CSV but different column in Lookup on Splunk Search. 05-04-2021 05:18 PM
- Posted Re: Need help of review of 5 year old search to improve it. on Splunk Search. 05-04-2021 04:23 PM
- Karma Re: Need help of review of 5 year old search to improve it. for to4kawa. 05-04-2021 04:21 PM
- Posted Re: Need help of review of 5 year old search to improve it. on Splunk Search. 05-04-2021 04:44 AM
- Posted Need help of review of 5 year old search to improve it. on Splunk Search. 05-03-2021 12:27 PM
- Posted Re: Splunk Statics Table - How to get the max of column and use it to evaluate each row on Splunk Search. 02-06-2021 06:52 PM
- Karma Re: Splunk Statics Table - How to get the max of column and use it to evaluate each row for scelikok. 02-06-2021 06:51 PM
- Karma Re: Splunk Statics Table - How to get the max of column and use it to evaluate each row for tread_splunk. 02-06-2021 06:51 PM
- Tagged Splunk Statics Table - How to get the max of column and use it to evaluate each row on Splunk Search. 02-05-2021 02:05 PM
- Tagged Splunk Statics Table - How to get the max of column and use it to evaluate each row on Splunk Search. 02-05-2021 02:05 PM
- Posted Splunk Statics Table - How to get the max of column and use it to evaluate each row on Splunk Search. 02-05-2021 02:04 PM
- Posted Re: How to include earliest and latest date time in the results on Splunk Search. 10-18-2020 10:42 AM
- Karma Re: How to include earliest and latest date time in the results for inventsekar. 10-18-2020 10:40 AM
- Got Karma for Re: How to include earliest and latest date time in the results. 10-17-2020 08:58 PM
- Tagged Re: How to include earliest and latest date time in the results on Splunk Search. 10-17-2020 06:26 PM
- Posted Re: How to include earliest and latest date time in the results on Splunk Search. 10-17-2020 06:25 PM
- Got Karma for How to include earliest and latest date time in the results. 10-17-2020 01:40 PM
- Posted How to include earliest and latest date time in the results on Splunk Search. 10-17-2020 12:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
05-04-2021
05:18 PM
Hello - I am looking for recommendations on combining 2 searches that use the same Lookup CSV but different columns in the CSV as the link to the lookup. Thank you all for taking a look and providing insights. CSV lookup Columns Job_Config_Name,Job,Job_Thread_Name,Frequency_mins,Job_Name,Job_Type,Job_Task,Active Search 1 index="idx_cibca_App_prod" sourcetype = "tomcat:runtime:log:jpma" AND "lastUpdatedTS" OR "Time taken for" host=Server_1 OR host=Server_2 OR host=Server_3 OR host=Server_4 OR host=Server_5 OR host=Server_6 OR host=Server_7 OR host=Server_8 | rex "(?<Job_Thread_Name>[a-z].*Range)" | rex "(?<DATE_TIME>^(\d+)-(\d+)-(\d+)(\s+)(\d+):(\d+):(\d+).(\d+))" | stats latest(_time) as _time , latest(host) as host by Job_Thread_Name | lookup App-Job-Index-Lookup.csv Job_Thread_Name OUTPUTNEW | eval Thread_Last_Executed=strftime(_time, "%Y-%m-%d %I:%M:%S %p"), EPOC_Time=(_time) | eval Lag=round((now()-EPOC_Time)/60) | eval Status=if(isnull(Lag), "NOT OK - Job not running", if(Lag<= if(Frequency_mins>60, Frequency_mins+10, 70),"OK","NOT OK - Job not running - Lag found")) | table Job_Name, host, Job_Thread_Name, Frequency_mins,Job_Config_Name, Thread_Last_Executed,Lag,Status,Job_Status,Job_Status_Logged,TIMETAKEN_IN_MINS Search 2 index="idx_cibca_App_prod" sourcetype="tomcat:runtime:log:jpma" AND "Job Details job name:" host=Server_1 OR host=Server_2 OR host=Server_3 OR host=Server_4 OR host=Server_5 OR host=Server_6 OR host=Server_7 OR host=Server_8 | rex "Job Details job name:(?<Job_Config_Name>.*) status:(?<JOB_STATUS>.*) timetaken:(?<TIMETAKEN>.*) minutes" | rex "(?<DATE_TIME>^(\d+)-(\d+)-(\d+)(\s+)(\d+):(\d+):(\d+).(\d+))" | stats latest(DATE_TIME) AS Job_Status_Logged latest(JOB_STATUS) AS Job_Status, latest(TIMETAKEN) AS TIMETAKEN_IN_MINS by Job_Config_Name | lookup App-Job-Index-Lookup.csv Job_Config_Name OUTPUT Job_Name, Frequency_mins, Job_Config_Name, Job_Thread_Name | table Job_Name, Job_Thread_Name, Frequency_mins,Job_Status,Job_Status_Logged,TIMETAKEN_IN_MINS
... View more
05-04-2021
04:23 PM
Thank you @to4kawa now I have to post a question on combining two searches. I failed to realize the original search is two queries.
... View more
05-04-2021
04:44 AM
Let me give a spin - Thank you @to4kawa
... View more
05-03-2021
12:27 PM
Hello - I have Splunk report that was generated 5 years ago. I was looking for advice. Can it be updated to work better? It is currently running but seems to take long time to complete. I tried to improve but not knowledgeable enough to make sure I will not screw it up. So all insights would be greatly appreciated. Need to make sure the contents of the lookup CVS generate a complete list of jobs. It is important to see if a job is not running. I assume this LEFT joint from the CSV to the results. Using the Frequency_mins to do the calculations. It seems the original search is doing additional calculations. I do apologize for such a large query. index="idx_cibca_Application_prod" sourcetype = "tomcat:runtime:log:jpma" AND "lastUpdatedTS" OR "Time taken for" host=Server_1 OR host=Server_2 OR host=Server_3 OR host=Server_4 OR host=Server_5 OR host=Server_6 OR host=Server_7 OR host=Server_8 | eval Job_Thread_Name=case(like(_raw,"%tspPaymentArchiveExecutorIncrementalPoolSizeRange%") ,"tspPaymentArchiveExecutorIncrementalPoolSizeRange",like(_raw,"%completedTxnReplaceIncrementalPoolSizeRange%") ,"completedTxnReplaceIncrementalPoolSizeRange", like(_raw,"%completedTxnBackoutCdIncrementalPoolSizeRange%") ,"completedTxnBackoutCdIncrementalPoolSizeRange", like(_raw,"%completedTxnBackoutPdIncrementalPoolSizeRange%") ,"completedTxnBackoutPdIncrementalPoolSizeRange", like(_raw,"%oneYearCompletedTxnArchivalIncrementalExecutor%") ,"oneYearCompletedTxnArchivalIncrementalExecutor", like(_raw,"%twoYearCompletedTxnArchivalIncrementalExecutor%") ,"twoYearCompletedTxnArchivalIncrementalExecutor", like(_raw,"%fxRateExecutorIncrementalPoolSizeRange%") ,"fxRateExecutorIncrementalPoolSizeRange", like(_raw,"%mfAccountBalancePDExecutorIncrementalPoolSizeRange%") ,"mfAccountBalancePDExecutorIncrementalPoolSizeRange", like(_raw,"%achPaymentExecutorWithPoolSizeRange%") ,"achPaymentExecutorWithPoolSizeRange", like(_raw,"%achtemplateIncrementalExecutorWithPoolSizeRange%") ,"achtemplateIncrementalExecutorWithPoolSizeRange", like(_raw,"%tspPaymentExecutorIncrementalPoolSizeRange%") ,"tspPaymentExecutorIncrementalPoolSizeRange", like(_raw,"%tspTemplateExecutorIncrementalPoolSizeRange%") ,"tspTemplateExecutorIncrementalPoolSizeRange", like(_raw,"%acctEntitlementExecutorIncrementalPoolSizeRange%") ,"acctEntitlementExecutorIncrementalPoolSizeRange", like(_raw,"%achEntitlementExecutorIncrementalPoolSizeRange%") ,"achEntitlementExecutorIncrementalPoolSizeRange", like(_raw,"%acttxEntitlementExecutorIncrementalPoolSizeRange%") ,"acttxEntitlementExecutorIncrementalPoolSizeRange", like(_raw,"%atsAccountExecutorIncrementalPoolSizeRange%") ,"atsAccountExecutorIncrementalPoolSizeRange", like(_raw,"%completedTxnCDExecutorIncrementalPoolSizeRange%") ,"completedTxnCDExecutorIncrementalPoolSizeRange", like(_raw,"%completedTxnPDExecutorIncrementalPoolSizeRange%") ,"completedTxnPDExecutorIncrementalPoolSizeRange", like(_raw,"%accountGroupExecutorIncrementalPoolSizeRange%") ,"accountGroupExecutorIncrementalPoolSizeRange", like(_raw,"%accountNickNameExecutorIncrementalPoolSizeRange%") ,"accountNickNameExecutorIncrementalPoolSizeRange", like(_raw,"%accountRetentionExecutorIncrementalPoolSizeRange%") ,"accountRetentionExecutorIncrementalPoolSizeRange",like(_raw,"%mfAccountBalanceCDExecutorIncrementalPoolSizeRange%") ,"mfAccountBalanceCDExecutorIncrementalPoolSizeRange", like(_raw,"%pymtCutoffExecutorIncrementalPoolSizeRange%") ,"pymtCutoffExecutorIncrementalPoolSizeRange", like(_raw,"%achFileImportsExecutorWithPoolSizeRange%") ,"achFileImportsExecutorWithPoolSizeRange") | stats latest(_time) as _time , latest(host) as host by Job_Thread_Name | eval Thread_Last_Executed=strftime(_time, "%Y-%m-%d %I:%M:%S %p"), EPOC_Time=(_time) | eval Lag=round((now()-EPOC_Time)/60) | table Job_Thread_Name, Thread_Last_Executed, host, Lag | lookup Application_Job_Thread_Name.csv Job_Thread_Name OUTPUTNEW Job_Name Job_Config_Name Frequency_Bucket_in_mins | table Job_Name, host, Job_Thread_Name, Job_Config_Name, Frequency_Bucket_in_mins, Thread_Last_Executed, Lag | inputlookup append=t Application_Job_Thread_Name.csv | dedup Job_Name | table Job_Name, host, Job_Thread_Name, Job_Config_Name, Frequency_Bucket_in_mins , Thread_Last_Executed, Lag | eval Status=if(isnull(Lag), "NOT OK - Job not running", if(Lag<= if(Frequency_Bucket_in_mins>60, Frequency_Bucket_in_mins+10, 70),"OK","NOT OK - Job not running - Lag found")) | join type=left Job_Config_Name [ search index="idx_cibca_Application_prod" sourcetype="tomcat:runtime:log:jpma" AND "Job Details job name:" host=Server_1 OR host=Server_2 OR host=Server_3 OR host=Server_4 OR host=Server_5 OR host=Server_6 OR host=Server_7 OR host=Server_8 | rex "Job Details job name:(?<Job_Config_Name>.*) status:(?<JOB_STATUS>.*) timetaken:(?<TIMETAKEN>.*) minutes" | rex "(?<DATE_TIME>^(\d+)-(\d+)-(\d+)(\s+)(\d+):(\d+):(\d+).(\d+))" | stats latest(DATE_TIME) AS Job_Status_Logged latest(JOB_STATUS) AS Job_Status, latest(TIMETAKEN) AS TIMETAKEN_IN_MINS by Job_Config_Name] | rename host as Thread_Host | table Job_Name, Thread_Host, Job_Thread_Name, Frequency_mins, Thread_Last_Executed,Lag,Status,Job_Status,Job_Status_Logged,TIMETAKEN_IN_MINS | eval Job_Status_Logged = if(isnull(Job_Status_Logged),"NA",Job_Status_Logged), Job_Status = if(isnull(Job_Status),"NA",Job_Status), TIMETAKEN_IN_MINS = if(isnull(TIMETAKEN_IN_MINS),"NA",TIMETAKEN_IN_MINS) CSV File content is: Job_Config_Name,Job_Name,Job_Thread_Name,Frequency_mins ach_payment_incremental_loader_task,ACH Payment,achPaymentExecutorWithPoolSizeRange,1 achTemplateIncrementalLoaderTask,ACH Tempate,achtemplateIncrementalExecutorWithPoolSizeRange,1 tsp_payment_incremental_loader_task,TSP Payments,tspPaymentExecutorIncrementalPoolSizeRange,1 tsp_template_incremental_loader_task,TSP Template,tspTemplateExecutorIncrementalPoolSizeRange,1 acct_entitlement_incremental_loader_task,Account Entitlement,acctEntitlementExecutorIncrementalPoolSizeRange,5 ach_entitlement_incremental_loader_task,ACH Entitlement,achEntitlementExecutorIncrementalPoolSizeRange,5 acttx_entitlement_incremental_loader_task,AT Entitlement,acttxEntitlementExecutorIncrementalPoolSizeRange,5 account_incremental_job,Account,atsAccountExecutorIncrementalPoolSizeRange,5 completed_txn_cd_incremental_job,Completed TXN CD,completedTxnCDExecutorIncrementalPoolSizeRange,5 completed_txn_pd_incremental_job,Completed TXN PD,completedTxnPDExecutorIncrementalPoolSizeRange,5 account_group_incremental_loader_task,Account Group,accountGroupExecutorIncrementalPoolSizeRange,1 account_nickname_incremental_job,Nick Name,accountNickNameExecutorIncrementalPoolSizeRange,5 account_retention_incremental_job,Retention,accountRetentionExecutorIncrementalPoolSizeRange,5 oneYearCompletedTxnArchiveIncrementalJob,One Year Retention,oneYearCompletedTxnArchivalIncrementalExecutor,60 twoYearCompletedTxnArchiveIncrementalJob,Two year Retention,twoYearCompletedTxnArchivalIncrementalExecutor,60 account_balance_cd_incremental_job,Balance Cd,mfAccountBalanceCDExecutorIncrementalPoolSizeRange,5 account_balance_pd_incremental_job,Balance PD,mfAccountBalancePDExecutorIncrementalPoolSizeRange,10 fxrate_incremental_loader_task,FX Rate,fxRateExecutorIncrementalPoolSizeRange,30 completed_txn_replace_incremental_loader_task,Replace,completedTxnReplaceIncrementalPoolSizeRange,480 completed_txn_backout_cd_incremental_loader_task,Backout CD,completedTxnBackoutCdIncrementalPoolSizeRange,360 completed_txn_backout_pd_incremental_loader_task,Backout PD,completedTxnBackoutPdIncrementalPoolSizeRange,360 tsp_payment_archive_incremental_loader_task,TSP payment Archive,tspPaymentArchiveExecutorIncrementalPoolSizeRange,10080 payment_cutoff_incremental_loader_task,Payment Cutoff,pymtCutoffExecutorIncrementalPoolSizeRange,1 ach_fileimports_incremental_loader_task,ACH File Import,achFileImportsExecutorWithPoolSizeRange,1
... View more
02-06-2021
06:52 PM
I will give it a try tomorrow and update with my results.
... View more
02-05-2021
02:04 PM
Splunk Statics Table - How to get the max of column and use it to evaluate each row Hello, looking for advice and recommendations. I have a splunk query index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount|table _time,host,clientCount I am trying to get the max value of the clientCount then use that value to compare to the each host. The idea to make are report/alert of host not having all the clients in cache. I suspect a subquery could be used but not sure that will work on a report. Need Help - from banging my Head more Steven
... View more
10-18-2020
10:42 AM
The information was what I needed. Thank you using the eval with strftime it allowed me to convert to a MM/DD/YYYY format. 🙂 Steven
... View more
10-17-2020
06:25 PM
1 Karma
Hello inventsekar I will not sending the report. I am going to use the report as part of my Python SDK solution. I have to take the data and generate longer term data capture and reporting. So I'm sorry the including of the search string will not be ba solution. As I work with the data in Pandas and Excel the the Earliest and Latest dates will be used to show when the data was pulled. The splunk I'm using can only hold 30 days of data maximum. Steven
... View more
- Tags:
- inventsekar
10-17-2020
12:42 PM
1 Karma
Hello, I feels this such a noob question but just cannot find my answer. I want to include the earliest and latest datetime criteria in the results. The results of the bucket _time span does not guarantee that data occurs. I want to show range of the data searched for in a saved search/report. index=idx_noluck_prod source=*nifi-app.log* APILifeCycleEventLogger "Event Durations(ms)" API=/v*/payments/ach/* | bucket _time span=day |stats count(eval(EndToEnd < 1200)) as EndToEnd_Completed_1.2-Seconds, count(eval(EndToEnd)) as Total_Transactions by ClientId,_time Thank you all in advance for increasing my understanding and knowledge. Steven
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-04-2021
08:40 PM
|
