Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kuul13
kuul13
Engager
Member since:
2 weeks ago
Tuesday
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-02-2024 |
Activity Feed
- Posted Re: How to add multiple fields to chart count over on Splunk Search. Tuesday
- Posted Re: How to add multiple fields to chart count over on Splunk Search. Tuesday
- Posted Re: How to add multiple fields to chart count over on Splunk Search. Monday
- Posted Re: How to add multiple fields to chart count over on Splunk Search. Saturday
- Posted Re: How to add multiple fields to chart count over on Splunk Search. a week ago
- Posted How to add multiple fields to chart count over on Splunk Search. a week ago
- Posted How to transpose based on regex data to get the counts on Splunk Search. 2 weeks ago
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
Tuesday
Time Event 4/27/245:30:37.182 AM { "Client":"ClientA", "Msgtype":"WebService", "Priority":2, "Interactionid":"1DD6AA27-6517-4D62-84C1-C58CA124516C", "Seq":15831, "Threadid":23, "message":"TimeMarker: MyClient: Result=Success Time=0000.05s Message=No payments found. (RetrievePaymentsXY - ID1:123131 ID2:Site|12313 ID3:05/14/2024-07/12/2024 1|12313", "Userid":"Unknown" } I just want to make sure that I state it right, when I run the following query, I get an output already, so json and fields are all correct. It is just my json was messed up when I massaged it (please ignore) : index=application_na
sourcetype=my_logs:hec
source=my_Logger_PROD
retrievePayments*
returncode=Error
| rex field=message "Message=.* \((?<apiName>\w+?) -"
| lookup My_Client_Mapping Client OUTPUT ClientID ClientName Region
| chart count over ClientName by apiName where `chart count over` is at the end. But, when I move the `lookup` statement after `chart`, I don't get any data back. If I remove the `lookup` the query won't work as `ClientName` is stored in lookup mapping file.
... View more
Monday
My bad, sorry that while I was removing the sensitive data, I messed up the event. Here is the actual one that I used: { Client:ClientA, Msgtype:WebService, Priority:2, Interactionid:1DD6AA27-6517-4D62-84C1-C58CA124516C, Seq:15831, Threadid:23, message: TimeMarker: MyClient: Result=Success Time=0000.05s Message=No payments found. (RetrievePaymentsXY - ID1:123131 ID2:Site|12313 ID3:05/14/2024-07/12/2024 1|12313), Userid:Unknown } And, the regex works too, here is the working example that would extract the apiName: https://regex101.com/r/7f9Cnb/1
... View more
Saturday
I have moved the lookup statement to the end after chart. Here is the latest query that I used. After I move the lookup at the end, I see no data. index=application_na
sourcetype=my_logs:hec
source=my_Logger_PROD
retrievePayments*
| rex field=message "Message=.* \((?<apiName>\w+?) -"
| chart count over client by apiName
| lookup My_Client_Mapping client OUTPUT ClientID ClientName Region Here is the sample events that I am working with, if that helps: Time Event 4/27/24 5:30:37.182 AM { "client":"ClientA", "msgtype":"WebService", "priority":2, "interactionid":"1DD6AA27-6517-4D62-84C1-C58CA124516C", "seq":15831, "threadid":23, "message":"TimeMarker: WebService: Sending result @110ms. (retrievePaymentsXY - ID1:123 ID2:ClientId|1 ID3:01/27/2024-04/27/2024)", "userid":"Unknown" } My_Client_Mapping lookup table has details of my clients like Client ClientId ClientName Region ClientA 1 Client A Eastern ClientB 2 Client B Eastern ClientC 3 Client C Western
... View more
a week ago
This was my original query to get the list of apis that failed for a client. I have more details of the client in the lookup table. How can I extract that in the `chart`. index=application_na
sourcetype=my_logs:hec
source=my_Logger_PROD
retrievePayments*
returncode=Error
| rex field=message "Message=.* \((?<apiName>\w+?) -"
| lookup My_Client_Mapping client OUTPUT ClientID ClientName Region
| chart count over ClientName by apiName This shows the data like ClientName RetrievePaymentsA RetrievePaymentsB RetrievePaymentsC Client A 2 1 4 Client B 2 0 3 Client C 5 3 1 How can I add other fields to the output like this ClientId ClientName Region RetrievePaymentsA RetrievePaymentsB RetrievePaymentsC Any help will be appreciated.
... View more
2 weeks ago
Hi,
I am new to Splunk. I am trying to figure out how to extract count of errors per api calls made for each client.
I have following query that i run :
`index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* ( returncode=Error OR returncode=Communication_Error) | rex field=message "Message=.* \((?<apiName>\w+?) -" | lookup My_Client_Mapping client | table ClientName, apiName'
This query parses message to extract the apinames that starts with `retrievePayments`. And shows this kind of results
ClientName apiName
Client A retrievePaymentsA
Client B retrievePaymentsA
Client C retrievePaymentsB
Client A retrievePaymentsB
I want to see an output where my wildcard apiName are transposed and show error count for every client.
Client retrievePaymentsA retrievePaymentsB retrievePaymentsC retrievePaymentsD
Client A 2 5 0 1
Client B 2 2 1 6
Client C 8 3 0 0
Client D 1 0 4 3
Any help would be appreciated.
... View more
Labels
- Labels:
-
field extraction
-
other
-
regex
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
