Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About username13
username13
Explorer
Member since:
09-03-2021
10-05-2022
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 09-03-2021 |
Activity Feed
- Posted Re: Need help with query performance improvement on Splunk Search. 10-05-2022 05:12 AM
- Posted Need help with query performance improvement on Splunk Search. 10-05-2022 02:35 AM
- Posted Re: Creating a timechart with duration on Splunk Search. 09-28-2021 03:23 AM
- Posted Re: Creating a timechart with duration on Splunk Search. 09-28-2021 02:59 AM
- Posted Re: Creating a timechart with duration on Splunk Search. 09-28-2021 02:52 AM
- Karma Re: Creating a timechart with duration for PickleRick. 09-28-2021 02:39 AM
- Posted Creating a timechart with duration on Splunk Search. 09-24-2021 07:23 AM
- Posted Re: How to compare two fields with every value? on Splunk Search. 09-06-2021 04:04 AM
- Karma Re: How to compare two fields with every value? for richgalloway. 09-06-2021 04:04 AM
- Posted How to compare two fields with every value? on Splunk Search. 09-03-2021 06:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
10-05-2022
05:12 AM
Hi Giuseppe, thank you very much for your help. Unfortunately my data is incomplete without the transaction command. So I guess I still have to keep it. But I'll keep it in mind! 🙂
... View more
10-05-2022
02:35 AM
Hi guys, I need to evaluate a disruption. It can last multiple hours, so I need to use data which is at least 4h old. This query needs to show all disruptions that are longer than 15 minutes with it's starting timestamp and it's last occurring timestamp. To group all logged events, I need a transaction which also contains the field CompleteDescription. If this field contains specific values which can be seen in the query, it is a disruption. The query I've build works so far but is to slow to collect data from multiple hours. Does anyone have an idea how to improve the query for more performance? Thank you! index=log sourcetype=servlog
| transaction ThreadId host maxspan=180s startswith=(LogMessage=start) endswith=(LogMessage=end)
| stats earliest(_time) as "first", latest(_time) as "last", count by Type, CompleteDescription
| eventstats sum(count) as count_full by Type, CompleteDescription
| eventstats sum(count_full) as total by Type
| eval percentage = round((count_full/total)*100,0)
| eval time_diff = round((last - first)/60, 0)
| eval CompleteDescription=upper(CompleteDescription)
| search Type!=SSL (CompleteDescription = "MISSING RESPONSE" OR CompleteDescription = "TIMEOUT" OR CompleteDescription = "TECHNICAL ERROR" OR CompleteDescription = "INTERNAL SYSTEM ERROR" OR CompleteDescription = "NO REACHABILITY") total >= 10 percentage >= 50 time_diff >= 30
| convert ctime(first) ctime(last)
| table Type, CompleteDescription, count_type, count, percentage
| sort - percentage, total
... View more
Labels
- Labels:
-
eval
-
stats
-
transaction
09-28-2021
03:23 AM
I see. But my aim is to have the number of JobDescription displayed on the Y-axis and the _time on the X-axis. The count should increment with the start_time and the graph should keep this values until the end_time is reached. (I hope it's understandable, I'm trying my best :D). Using the values command, we end up with the.. well.. values from duration on the Y-axis. 🙂
... View more
09-28-2021
02:59 AM
Update: I just set the span to 10 sec and as shown in the picture, the chart is still using just one specific point to view the event. What am I doing wrong?
... View more
09-28-2021
02:52 AM
Thanks for your reply 🙂 I now created this search: searchterms | eval start_time = if(like(_raw, "%START%"), 'start', 'null') | eval end_time = if(like(_raw, "%END%"), 'end', 'null') | transaction JobDescription startswith=(LogMessage="* START *") endswith=(LogMessage="* END *") maxevents=5000 | chart count(duration) over _time The result looks like this: As you can see, there's always at least one duration during the whole 24 hours. But in reality, there are only a few transactions during day. So I'm wondering: Is it possible that the transaction command returns the "duration" field even for timestamps where the created transaction didn't occour? Or is it just because there might be transactions that collect events which don't contain "END" and are fewer than 5000 in sum? Thanks again 🙂
... View more
09-24-2021
07:23 AM
Hey guys. I have multiple events combined to transactions. I'd like to view the duration of each transaction on a timechart to have an overview about when and how long which transaction occured. My search so far is: searchterms | eval start_time = if(like(_raw, "%START%"), 'start', 'null') | eval end_time = if(like(_raw, "%END%"), 'end', 'null') | transaction JobDescription startswith=(LogMessage="* START *") endswith=(LogMessage="* END *") maxevents=5000 | timechart [pls help] I'm pretty lost on that case, so help is very appreciated 🙂
... View more
Labels
- Labels:
-
timechart
-
transaction
09-03-2021
06:25 AM
Hi guys. I'm completly new to Splunk. Sorry if my question seems kinda stupid 🙂 I have some log-data including a GUID. Those are separated in two kinds: "error" and "times". Sometimes, an error-log has the same GUID as a times-log. I need to count those double GUIDs, for that reason I have to extract the GUIDs from their original field und compare them with each other. I managed to extract them with Regex into two new fields. But now I'm searching for an opportunity to compare every error-GUID with every times-GUID. Thanks for your help! 🙂
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-05-2022
02:47 AM
|
