Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About heorhii12412
heorhii12412
Explorer
Member since:
06-29-2023
07-14-2023
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 0 |
| Member Since | 06-29-2023 |
Activity Feed
- Karma Re: Parsing different time fields for transactions for richgalloway. 07-14-2023 08:44 AM
- Posted Re: Parsing different time fields for transactions on Splunk Search. 07-14-2023 08:43 AM
- Karma Re: Parsing different time fields for transactions for richgalloway. 07-14-2023 08:43 AM
- Karma Re: Parsing different time fields for transactions for richgalloway. 07-14-2023 08:43 AM
- Posted Re: Parsing different time fields for transactions on Splunk Search. 07-11-2023 04:52 AM
- Posted Re: Parsing different time fields for transactions on Splunk Search. 07-10-2023 08:53 AM
- Posted Parsing different time fields for transactions on Splunk Search. 07-10-2023 07:27 AM
- Tagged Parsing different time fields for transactions on Splunk Search. 07-10-2023 07:27 AM
- Tagged Parsing different time fields for transactions on Splunk Search. 07-10-2023 07:27 AM
- Tagged Parsing different time fields for transactions on Splunk Search. 07-10-2023 07:27 AM
- Tagged Parsing different time fields for transactions on Splunk Search. 07-10-2023 07:27 AM
- Karma Re: Aggregation search for different fields help for yuanliu. 07-04-2023 06:01 AM
- Posted Re: Aggregation search for different fields help on Splunk Search. 07-03-2023 07:30 AM
- Karma Re: Aggregation search for different fields help for yuanliu. 07-03-2023 07:14 AM
- Karma Re: Aggregation search for different fields help for yuanliu. 06-30-2023 08:08 AM
- Posted Re: Aggregation search for different fields help on Splunk Search. 06-30-2023 04:17 AM
- Posted Aggregation search for different fields help on Splunk Search. 06-29-2023 08:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
07-14-2023
08:43 AM
Unfortunately, this didn't work for me. Still, no idea why those events are not found
... View more
07-11-2023
04:52 AM
@richgalloway I have another query: event_status="delivered" OR event_status="in_transit"
| transaction tracking_number startswith=event_status=delivered endswith=event_status=in_transit keepevicted=true
| where duration > 3600
| search closed_txn=1 Which returned 5 transactions fit for this condition for the last 2 weeks. Here's one of those(accidentally fits my final requirement): {"timestamp":"2023-07-06T23:44:52.784Z","tracking_number":"C11900891311111","event_status":"delivered","event_time":"2023-07-06T23:44:38.722Z"}
{"timestamp":"2023-07-07T07:03:10.712Z","tracking_number":"C11900891311111","event_status":"in_transit","event_time":"2023-07-03T18:24:36.668Z"} If we take a look at event_time field of the delivered event and assume that it will replace _time field for it, then after comparison of two timestamps in_transit event clearly came 8 hours after the first one. For some reason, these 5 transactions are not included in the total calculations in the query that you helped me to compose: event_status="delivered" OR event_status="in_transit"
| eval _time=if(event_status="delivered", strptime(event_time, "%Y-%m-%dT%H:%M:%S.%3N%Z"), _time)
| sort - _time
| transaction tracking_number startswith=event_status=delivered endswith=event_status=in_transit keepevicted=true
| where duration > 3600
| stats sum(eventcount) as eventcount by closed_txn
| eventstats sum(eventcount) as totalcount
| where closed_txn == 1``` remaining eventcount only includes complete transactions ```
| eval percentage = eventcount * 100 / totalcount The strange thing is - I tried singling this transaction this way: event_status="delivered" OR event_status="in_transit" AND "C11900891311111"
| eval _time=if(event_status="delivered", strptime(event_time, "%Y-%m-%dT%H:%M:%S.%3N%Z"), _time)
| sort - _time
| transaction tracking_number startswith=event_status=delivered endswith=event_status=in_transit keepevicted=true
| where duration > 3600
| stats sum(eventcount) as eventcount by closed_txn And successfully found it! But removing condition AND "C11900891311111" at the start of the query gives me 0 results. This is very strange, right? P.S. Sorry for my continuous inquiries, I just really want to get to the root of the problem. I will upvote your answers as well!
... View more
07-10-2023
08:53 AM
Good solution! I didn't even know we could intervene in the fields to this extent. But this solution didn't work for me. Splunk gives Error in 'transaction' command: This search requires events to be in descending time order, but the preceding search does not guarantee time-ordered events. I don't really understand the problem, if the conditions are not met, then why not ignore this transaction in the final calculation? Probably has something to do with transaction conditions startswith and endswith. But I'm not sure. Do you happen to know a solution?
... View more
07-10-2023
07:27 AM
Hello everyone, I have a bit of a strange requirement, which includes close work with time values. I have Splunk events in the following format: event_time: 2023-06-29T14:49:42.787Z
shipment_status: delivered
timestamp: 2023-06-29T14:49:51.069Z
tracking_number:95AAEC4900000 Where shipment_status can have different values, but I need only in_transit and delivered, also timestamp field is basically the same as the built-in _time field. I need to group events based on tracking_number field, and show the percentage of these pairs to the rest of the events, but do that in a way that in_transit events should have come after delivered events more than an hour after. The catch is - we should consider the difference between _time/timestamp field for in_transit event and event_time field for delivered event. For example, my query: event_status="delivered" OR event_status="in_transit"
| transaction tracking_number startswith=event_status=delivered endswith=event_status=in_transit keepevicted=true
| where duration > 3600
| stats sum(eventcount) as eventcount by closed_txn
| eventstats sum(eventcount) as totalcount
| where closed_txn == 1``` remaining eventcount only includes complete transactions ```
| eval percentage = eventcount * 100 / totalcount uses a duration field, which automatically uses _time field for both events, but I need to get the duration of <_time/timestamp(second_event/in_transit)> - <event_time(first_event/delivered)> = 1h15m(for example), which is more than one hour, so this transaction should be included in the eventcount calculation. Basically, I need to change this | where duration > 3600 condition in my query for a correct time calculation of both events in the transaction, fitting what I described earlier. I still have not found a way to compare fields for these separate events in the transaction, so could someone offer some help? I will be very grateful for any suggestions or solutions!
... View more
Labels
07-03-2023
07:30 AM
I also have a question related to the time frames, for the query you provided earlier | transaction tracking_number startswith=shipment_status=in_transit endswith=shipment_status=delivered keepevicted=true
| stats sum(eventcount) as eventcount by closed_txn
| eventstats sum(eventcount) as totalcount
| where closed_txn == 1``` remaining eventcount only includes complete transactions ```
| eval percentage = eventcount * 100 / totalcount Is it possible to add a clause, that only transactions, for which events span more than 1 hour between them, could be included in the eventcount ? using the _time field for example? Transaction's maxspan and maxpause do not suit these calculations, and I couldn't write something using mvindex or strptime to make it work. For example, in_transit event was received at 7/3/23 9:07:00.000 AM and delivered events came after that at 7/3/23 11:10:00.000 AM, in this case, this transaction should be considered as completed and counted to eventcount. I would be very grateful for your help!
... View more
06-30-2023
04:17 AM
Thanks a lot, you really just saved me! I haven't even watched on the transaction command side, tried to do it just by eval and eventstats commands.
... View more
06-29-2023
08:04 AM
Hello everyone! I have Splunk events in the following format: activity_time: 2023-06-29T12:45:06Z event_time: 2023-06-29T14:49:42.787Z shipment_status: delivered timestamp: 2023-06-29T14:49:51.069Z tracking_number:95AAEC4900000 And of course, every event has a time value on top of already provided values, shipment_status can contain values like 'delivered' and 'in_process' and some other values. I need to find the percentage of events with the same 'tracking_number' values, for which events with the shipment_status: in_process values came first, before events with the shipment_status: delivered status values. It means that I need to filter events based on their tracking_number, find among those events only those with shipment_status: in_process or delivered, and then compare the time of both events and count them to the overall percentage of the filtered events if in_process events were first, for example, 1 hour before the delivered event. I'm very confused with the operators that Splunk uses for the filtering and calculating logic, could someone please help me with the composition of the query?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-14-2023
12:04 PM
|
