Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- About PaintItParker
PaintItParker
Explorer
Member since:
04-13-2021
05-06-2021
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-13-2021 |
Activity Feed
- Posted Getting Amount of X Events After Last Y Event on Splunk Search. 05-06-2021 09:23 AM
- Posted Timechart Count by Field Name... By Field Name (Combining Timecharts) on Dashboards & Visualizations. 04-26-2021 09:48 AM
- Posted Y-Axis Based on Field Values on Dashboards & Visualizations. 04-19-2021 02:43 PM
- Posted Re: Combining 2 Queries Using Same Field on Splunk Search. 04-13-2021 09:16 AM
- Karma Re: Combining 2 Queries Using Same Field for ericjorgensenjr. 04-13-2021 09:15 AM
- Posted Combining 2 Queries Using Same Field on Splunk Search. 04-13-2021 08:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-06-2021
09:23 AM
Right now I have something like this: index=my_index sourcetype=my_sourcetype
| rex field=message "- (?<User>\S+) -:"
| rex field=message "- (?<MessageInfo>\S+) :"
| eval Err=if(match(MessageInfo, "(Error example 1)|(Error example 2)"), 1, 0)
| eval Succ=if(match(MessageInfo, "(Success example 1)|(Success example 2)"), 1, 0)
| stats sum(Err) as ErrCount, sum(Succ) as SuccCount by User
| table User, ErrCount, SuccCount So, ErrCount gets the total count of errors for each User. However, I am writing an alert, and we only want to be alerted if there have been 10 or more errors since the last success - over a 4 hour time range. So basically: 1. By User, look at the last success message that occurred in the 4 hour time range 2. If 10 or more errors occurred since the last success message, set a flag for the User - only Users with a flag set are tabled 3. Table User and the amount of errors that occurred since the final success Is this at all possible? How could I start to go about it? I am lost on how to get the last success message and then use that to get the quantity of errors since.
... View more
04-26-2021
09:48 AM
I have two timecharts: index=my_index sourcetype=my_sourcetype
| where area="area1"
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message and index=my_index sourcetype=my_sourcetype
| where area="area2"
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message The only thing that makes them different is that one is looking at logs where the value of area is area1, and the other is looking at area2. Rather than have two separate timecharts, I would like to have one timechart with a line for area1 and a line for area2, looking at the count of Issues for each over the given period of time. I do not need a span because the dashboard implements that for me with the time range selection feature. How could I go about this? I tried something like "timechart count by message by area" but that does not work. Thank you.
... View more
Labels
- Labels:
-
timechart
04-19-2021
02:43 PM
I have a field, SecondsSpentExecuting. A logged event will have that field. I want to visualize my data with a line chart, so the x-axis is _time, and the y-axis is SecondsSpentExecuting, so for a given event, at a given time on the x-axis, you see on the y-axis visually how long it took compared to other events in that line chart. The current command I am using is: timechart count by SecondsSpentExecuting But in this case, the y-axis is the quantity of events that spent x seconds executing, so it does not work for my purposes. How could I write a command which considers the actual value of the SecondsSpentExecuting field rather than charting by quantity of events?
... View more
04-13-2021
08:55 AM
I have two queries. One gets the total number of events using the message field: index=my_index sourcetype=my_sourcetype
| stats count(message) AS TotalA
| table TotalA And the other uses multiple regex statements and the message field to get the total number of errors: index=my_index sourcetype=my_sourcetype
| regex message = "(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| stats count(message) AS TotalB
| table TotalB My goal is to have TotalA and TotalB side by side in a table. I would then like to divide TotalA by TotalB to get a ratio and display that alongside TotalA and TotalB in the table. How could I go about combining these? Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-06-2021
09:41 PM
|
