Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- About rilee
rilee
Explorer
Member since:
06-25-2021
08-13-2022
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 1 |
| Member Since | 06-25-2021 |
Activity Feed
- Karma Re: Can I make a drill down report on one page? for bowesmana. 08-11-2022 12:52 PM
- Posted Re: Can I make a drill down report on one page? on Splunk Search. 08-10-2022 08:07 PM
- Karma Re: Can I make a drill down report on one page? for bowesmana. 08-10-2022 07:49 PM
- Posted Re: Can I make a drill down report on one page? on Splunk Search. 08-10-2022 06:25 PM
- Got Karma for Re: Can I make a drill down report on one page?. 08-10-2022 05:58 PM
- Posted Re: Can I make a drill down report on one page? on Splunk Search. 08-10-2022 05:55 PM
- Posted Can I make a drill down report on one page? on Splunk Search. 08-10-2022 04:32 PM
- Karma Re: How do I split a SQL statement's query fields and relate each field with the app name? for ITWhisperer. 07-01-2021 04:35 AM
- Karma Re: How to get 2 values out of a string using rex command for richgalloway. 06-30-2021 11:21 AM
- Posted Re: How to get 2 values out of a string using rex command on Splunk Search. 06-30-2021 11:20 AM
- Posted Re: How to get 2 values out of a string using rex command on Splunk Search. 06-30-2021 11:18 AM
- Tagged Re: How to get 2 values out of a string using rex command on Splunk Search. 06-30-2021 11:18 AM
- Posted How to get 2 values out of a string using rex command on Splunk Search. 06-30-2021 07:51 AM
- Tagged How to get 2 values out of a string using rex command on Splunk Search. 06-30-2021 07:51 AM
- Posted Re: How do I split a SQL statement's query fields and relate each field with the app name? on Splunk Search. 06-28-2021 02:32 AM
- Karma Re: How do I split a SQL statement's query fields and relate each field with the app name? for ITWhisperer. 06-28-2021 02:30 AM
- Posted Re: How do I split a SQL statement's query fields and relate each field with the app name? on Splunk Search. 06-27-2021 10:05 PM
- Posted How do I split a SQL statement's query fields and relate each field with the app name? on Splunk Search. 06-27-2021 12:01 PM
- Tagged How do I split a SQL statement's query fields and relate each field with the app name? on Splunk Search. 06-27-2021 12:01 PM
- Tagged How do I split a SQL statement's query fields and relate each field with the app name? on Splunk Search. 06-27-2021 12:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-10-2022
08:07 PM
The duration is not captured. It works fine in (Search 1) when only used webapi log. After combination, the txid is captured but duration field is null. Why? | rex field=_raw "\s+T+\s(?<txid>.*?)\s+Controller\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End"
... View more
08-10-2022
06:25 PM
This new search syntax did not create any errors but did not return any results in the time frame that I knew 18 results should come back. What do I do wrong? I believe the "OR" is the way to combine the raw data (2 log files) but perhaps it's fundamentally incorrect? index="IDX" (host="PRHosts") source="WS.Business.Milestones.log" OR "WS.webapi.log" "EmployeeController.Post" "- End"
| rex field=_raw "\s+T+\s(?<txid>.*?)\s+Controller\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End"
| rex field=_raw "s/^.* {/{/" mode=sed
| spath output=status path=stat
| spath output=nv path=flds{}.nv
| spath output=status path=stat
| spath output=tid path=tid
| spath output=fn path=flds{}.fn | eval fieldname=mvindex(fn,0)
| eval {fieldname}=mvindex(nv,0)
| eval fieldname=mvindex(fn,1)
| eval {fieldname}=mvindex(nv,1)
| fields - fn nv fieldname
| rex field=dbQueries "(?i)select\s+(?<columns>.*)\s+from"
| eval column=split(columns,", ")
| mvexpand column
| dedup column username | search status=Success column="emp.last_updated_date"
| eval txid=coalesce(txid, tid)
| stats values(*) as * by txid
... View more
08-10-2022
05:55 PM
1 Karma
No need for drill down any more. That is just my initial practice to show in Dashboard through the drill down. I meant to join the search results by txid. I will try your syntax and then extract emp.Last_updated_Date from the combined data. Sorry, my examples shown just to illustrate the formats of records, did not pick the same txid.
... View more
08-10-2022
04:32 PM
I have 2 searches from two individual log files with Txid in common (could be outerjoin): The first search I get the Txid from source file A and get the duration of that transaction. The second search (I used Drilldown Editor to create a click event --> Set TxnId=$click.value$) is to retrieve appname, columns from a SQL statement, host and by the selected Txnid. I'd like to make these two outputs as one result. How do I do it? The exact syntaxes I used are as follows: index="IDX" (host="PRhosts") source="WS.webapi.log" "Controller.Post" "- End" | rex field=_raw "s/^.* {/{/" mode=sed | spath output=status path=stat |rex field=_raw "\s+T+\s(?<txid>.*?)\s+Controller\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End" |sort - duration |table txid duration index="IDX" (host="PRhosts") source="*WS.Business.Milestones.log" |rex field=_raw "s/^.* {/{/" mode=sed |spath output=nv path=flds{}.nv |spath output=status path=stat |spath output=tid path=tid |spath output=fn path=flds{}.fn | search tid=$Txnid$ | table fn nv host status tid WS.Webapi.log raw date looks like one line below (and you can guess there is a - Begin somewhere above but there is no duration recorded): 08/10/22 19:21:18.33 p06712 [00017] T M2kYTm7ywE6RFEnqc9m_1g Controller.Post - 00:00:00:270 - End WS.Business.Milestones.log raw data look like the following: 08/10/22 19:26:03.44 p08604 [00106] T {"tid":"H2R2JPpkiECRHW5hEszG3Q","sid":"T1-COOLSECURITY:CSAPPAUTH-{E7690AF7-D1F0-4A84-A612-7E47C9F07679}","stat":"Success","sf":"EmployeeLogic","sm":"GetAsync","dt":"2022-08-10T23:26:03.4462133Z","flds":[{"fn":"username","nv":"HostedRedirGlobalEmployeeWS_PR"},{"fn":"dbQueries","nv":"SQL_QUERIES=SELECT emp.EMP_ID, emp.REPORTS_TO_SCID, emp.DEPT_CODE , emp.EMP_ID\n FROM coolemp.SHIPS_COOL2 emp\n WHERE ((UPPER(emp.SYSTEM_PERSON_TYPE) != UPPER('Pending Worker'))) AND ((UPPER(emp.USER_SID) = UPPER(:emp_userSid)))"}]} So I'd like to know how to join the above 2 results into one so I can show the duration, with fn and nv values that has the SQL field "emp.Last_Updated_Date".
... View more
Labels
- Labels:
-
join
06-30-2021
11:20 AM
Sorry, tsid and txid are the same I am referring to. ^_^ I will refine my syntax to use your line. Thanks again
... View more
06-30-2021
11:18 AM
In my base index search, I added "EmployeeController.Post" "- End" filter values to return only the lines I need. Then I used | rex field=_raw "\s+T+\s(?<txid>.*?)\s+EmployeeController\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End" |table txid duration That did work and I have solved my issue just an hour ago! But yours looks much neater. Thank you so much for your reply. I appreciate it. Practice makes perfection and I shall get better sooner than later.
... View more
- Tags:
- rex
06-30-2021
07:51 AM
I have the following sample data returned that I'd like to extract 2 fields out of it: 1) The value after the "T " and before the "EmployeeController.Post -" will be the first field <tsid>. 2) Between the "EmployeeController.Post - " and " - End" will be the second field <duration>. 06/30/21 09:39:21.39 p17872 [00226] T ELBJsZX6wk68nXrUKKEd4g EmployeeController.Post - 00:00:00:538 - End Your help is highly appreciated.
... View more
- Tags:
- rex
Labels
- Labels:
-
rex
06-28-2021
02:32 AM
Got it, I see something new. One step at a time. Just started Splunking for less than 7 days. Hopefully one day can be as powerful as you all. So I can also whisper without too much sweat! ^_^ Later.
... View more
06-27-2021
10:05 PM
Thank you for the reply. I understand the syntax you shared but I am not sure how to incorporate the syntax. (Reading now more examples for |makeresults usage.) I appended your lines after my initial lines (that yielded many rows of results): index="my_index" (host="host1*" OR host="host2" OR host="host3" OR host="host4") source="*Business.Milestones.log" | rex field=_raw "s/^.* {/{/" mode=sed Execution error tells me | Makeresults needs to be the first command in search. What I showed in Json is from the first row of the returned results. The search has many rows returned with the SQL statement dynamically generated. So the column count will vary. Will the |Makeresults syntax able to translate that? And I need to fill(append) the application names ((nv,0)) in each column((nv,1). If I make the results working, how to make the metrics to summarize desired final output? e.g.: columnA app1, app2, etc. ColumnB app2, app4, etc. etc. As many columns whichever apps request for whatever columns Is it possible?
... View more
06-27-2021
12:01 PM
I have a search result like below: { [-] dt: 2021-06-24T22:46:40.7013297Z flds: [ [-] { [-] fn: username nv: LearningRegApplication } { [-] fn: dbQueries nv: SQL_QUERIES=Select emp.fieldA, emp.fieldB, emp.fieldC, emp.fieldD from Template.table emp WHERE (UPPER(emp.fieldA) = UPPER(:emp.fieldA)) AND (UPPER(emp.fieldB) = UPPER(:emp_fieldB)) AND (UPPER(emp.fieldC) IN (UPPER('aaa'), UPPER('bbb'), UPPER('ccc'), UPPER('ddd'))) } ] sf: EmployeeLogic sid: T1-SECURITY-{A-8FE-76E9-C3A2-ED890B} sm: GetAsync stat: Success tid: yb6Any-PG00IG53 } I used |SPATH OUTPUT=status PATH=stat | SPATH OUTPUT=nv PATH=flds{}.nv | SPATH OUTPUT=fn PATH=flds{}.fn | Table fn nv host status. The results return 4 columns. Each row has the array of the 2 sets of key-value pair in the fn/nv stacked together. But host and status has only hostname and status values as follows: fn nv host status (Row 1) username LearningRegApplication MyHost Success (Row 1) dbQueries SQL_QUERIES=Select emp.fieldA, emp.fieldB, emp.fieldC, emp.fieldD from Template.table emp WHERE (UPPER(emp.fieldA) = UPPER(:emp.fieldA)) AND (UPPER(emp.fieldB) = UPPER(:emp_fieldB)) AND (UPPER(emp.fieldC) IN (UPPER('aaa'), UPPER('bbb'), UPPER('ccc'), UPPER('ddd'))) And I have uploaded a CSV file that contains all query fields name. I want to see each field was queried by which application and insert them in that field row (not sure what is the best way to present this information). So the output may look like something below: fieldA LearningRegApplication fieldB LearningRegApplication, AThirdApp fieldC LearningRegApplication, ASecondApp fieldD LearningRegApplication fieldE ASecondApp, AThirdApp fieldF AForthApp : : What is the way to use the full CSV list of field names to insert the app to each SQL field name?
... View more
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-13-2022
05:30 AM
|
