I have:
index="myIndex"
source="mySource1"
source="mySource2"
mySource1 example
2023-02-01 17:00:01 - Naam van gebruiker: hank - Rol van gebruiker: operator
2023-02-02 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: operator
2023-02-03 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: operator
2023-02-02 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: administrator
2023-02-03 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: administrator
mySource2 example
2023-02-06 13:49:57,654 User:hank The user is authenticated and logged in.
2023-02-07 13:49:57,654 User:skylar The user is authenticated and logged in.
2023-02-08 13:49:57,654 User:walt The user is authenticated and logged in.
2023-02-03 13:49:57,654 User:hank The user is authenticated and logged in.
2023-02-02 13:49:57,654 User:skylar The user is authenticated and logged in.
2023-02-01 13:49:57,654 User:walt The user is authenticated and logged in.
In Splunk I need a dashboard, with a statisticstable, looking like this:
USER, LATEST
hank, 2023-02-03 13:49:57,654 User:hank The user is authenticated and logged in.
skylar, 2023-02-02 13:49:57,654 User:skylar The user is authenticated and logged in.
walt, 2023-02-01 13:49:57,654 User:walt The user is authenticated and logged in
Where USER is column 1 and LATEST column 2. The purpose of the table is to show the user id's (found in mySource1) and show the latest login event (found in mySource2) so that you can tell when each user last logged in.
Initially I tried this:
index="myIndex"
source="mySource1"
| fields _time, _raw
| rex "Naam van gebruiker: (?<USER>.+) -"
| dedup USER
| table USER
| sort USER
| join type=left
[ search
index="myIndex"
source="mySource2"
"User:myUserID The user is authenticated and logged in."
| stats latest(_raw)
]
But I found out that I the second search, returns data to the first search. Also, I did not fetch the name from the second search. I later tried the following:
index="myIndex" source="mySource2"
"The user is authenticated and logged in."
| rex "User:(?<USER>\w+) The user is authenticated and logged in."
| search [search index="myIndex"
source="mySource1"
| rex "Naam van gebruiker: (?<USER>.+) -"
| dedup USER
| table USER
| sort USER
| format]
| stats latest(_raw) by USER
But this does not return any data. I tried running both searches seperately, and when I do, they return the data I need:
index="myIndex" source="mySource2"
"The user is authenticated and logged in."
| rex "User:(?<USER>\w+) The user is authenticated and logged in."
| table USER
| dedup USER
index="myIndex"
source="mySource1"
| rex "Naam van gebruiker: (?<USER>.+) -"
| dedup USER
| table USER
| sort USER
But once combined, no data is returned.
How do I manage to return the data and get the desired table of results?
EDIT: Forgot to mention, I also need to show users who have a role (source1) but have never logged in (not found in source2). Hence mySource1 is used.
You should be able to combine it all in one go:
index=ndx (source=source1 OR source=source2)
| rex field=_raw "Naam[^:]+:\s(?<user1>\S+)
| rex field=_raw "User:(?<user2>\S+)\s(?<msg>.+)
| eval user=coalesce(user1,user2)
| stats max(_time) as _time latest(msg) as msg by user
What this does: extract two field (user1 & user2) from your two sources
coalesce them into one field named "user"
Report the most recent msg for that user and the most recent _time you have an event for
(You should be able to abbreviate this slightly by using the same named field extraction (user) instead of two with a coalesce, I just wanted it to be clear)
edit to add users that have never logged in
index=ndx source=source1
| rex field=_raw "Naam[^:]+:\s(?<user>\S+)[^:]+:\s(?<role>\w+)"
| stats values(role) as roles by user
| append
[search index=ndx source=source2
| rex field=_raw "User:(?<user>\S+)\s(?<msg>.+)
| stats latest(msg) as msg max(_time) as msg_time by user ]
| stats values(*) as * by user
| where isnull(msg)
Here we're looking for a list of all users that have roles first, then appending the latest message for each user, then stats values() them together and throw away all entries that don't have a msg field via the where clause
Related
I've an admin side in my laravel project where admin can add Ads along with impression and hours. For e.g if i add a add with impression = 2 and hours = 2. So, once the user have viewed this ad for 2 times then user will not be shown that Ad for the next 2 hours.
Here is the structure of admin ads table:
--------------------------------------
id | image |impressions| hours |
1 | image.png| 2 | 6 |
--------------------------------------
And there's ads_impression_log where i store the log of users who have viewed an ad
---------------------------------------------
id | user_id | ad_id | impression_datetime |
1 | 1 | 1 | 2020-07-28 23:22:45 |
---------------------------------------------
How can i create a laravel query so, that i get specific ad impression count and if impression count is within the hours show the user next ad.
This is my first question here. So, please ignore if there's some mistake :)
Ad Model
public function users(){
return $this->belongsToMany(App\Add, 'ads_impression_log', 'ad_id', 'user_id')
->withPivot('impression_datetime');
}
User Model
public function ads(){
return $this->belongsToMany(App\Add, 'ads_impression_log', , 'user_id', 'ad_id')
->withPivot('impression_datetime');
}
Impression count of a given user($user_id) for a given ad.($user_id)
We'll use the collection method filter here.
$user = User::with('ads')->find($user_id);
//
$ads = $user->ads->filter(function($value, $key){
return $value->id === $ad_id;
});
Now you can get the count of those impressions.
$count = $ads->count();
Impressions required for that ad.
$ads->first()->impression;
You can do the comparison accordingly.
And to get the impression_date column from the pivot table you could do the following.
foreach($ads as $adImp){
$adImp->pivot->impression_date;
}
Requirement: I want to find out, payment card information used in a particular day are there any tele sales order placed with the same payment card information.
I tried with below query it is supposed to give me all the payment card information from online orders and matching payment info from telesales. But i am not giving correct results basically results shows there are no telesales for payment information, but when i search splunk i am finding telesales as well. So the query wrong.
index="orders" "Online order received" earliest=-9d latest=-8d
| rex field=message "paymentHashed=(?<payHash>.([a-z0-9_\.-]+))"
| rename timestamp as onlineOrderTime
| table payHash, onlineOrderTime
| join type=left payHash [search index="orders" "Telesale order received" earliest=-20d latest=-5m | rex field=message "paymentHashed=(?<payHash>.([a-z0-9_\.-]+))" | rename timestamp as TeleSaleTime | table payHash, TeleSaleTime]
| table payHash, onlineOrderTime, TeleSaleTime
Please help me in fixing the query or a query to find out results for my requirement.
If you do want to do this with a join, what you had, slightly changed, should be correct:
index="orders" "Online order received" earliest=-9d latest=-8d
| rex field=message "paymentHashed=(?<payHash>.([a-z0-9_\.-]+))"
| stats values(_time) as onlineOrderTime by payHash
| join type=left payHash
[search index="orders" "Telesale order received" earliest=-20d latest=-5m
| rex field=message "paymentHashed=(?<payHash>.([a-z0-9_\.-]+))"
| rename timestamp as TeleSaleTime
| stats values(TeleSaleTime) by payHash ]
| rename timestamp as onlineOrderTime
Note the added | stats values(...) by in the subsearch: you need to ensure you've removed any duplicates from the list, which this will do. By using values(), you'll also ensure if there're repeated entries for the payHash field, they get grouped together. (Similarly, added a | stats values... before the subsearch to speed the whole operation.)
You should be able to do this without a join, too:
index="orders" (("Online order received" earliest=-9d latest=-8d) OR "Telesale order received" earliest=-20d))
| rex field=_raw "(?<order_type>\w+) order received"
| rex field=message "paymentHashed=(?<payHash>.([a-z0-9_\.-]+))"
| stats values(order_type) as order_type values(_time) as orderTimes by payHash
| where mvcount(order_type)>1
After you've ensured your times are correct, you can format them - here's one I use frequently:
| eval onlineOrderTime=strftime(onlineOrderTime,"%c"), TeleSaleTime=strftime(TeleSaleTime,"%c")
You may also need to do further reformatting, but these should get you close
fwiw - I'd wonder why you were trying to look at Online orders from only 9 days ago, but Telesale orders from 20 days ago to now: but that's just me.
The join command expects a list of field names on which events from each search will be matched. If no fields are listed then all fields are used. In the example, the fields 'onlineOrderTime' and 'TeleSaleTime' exist only on one side of the join so no matches can be made. The fix is simple: specify the common field name. ... | join type=left payHash ....
First of all, you can delete the last row | table payHash, onlineOrderTime, TeleSaleTime beacuse it doesn't do anything(the join command already joins both tables you created).
Secondly, when running both queries separately - both queries have the same "payHash"es? both queries return back a table with the true results?
Because by the looks of it, you used the join command correctly...
As part of my requirements, I have to calculate the duration between two different logs using Splunk query.
For example:
Log 2:
2020-04-22 13:12 ADD request received ID : 123
Log 1 :
2020-04-22 12:12 REMOVE request received ID : 122
The common String between two logs is " request received ID :" and unique strings between two logs are "ADD", "REMOVE". And the expected output duration is 1 hour.
Any help would be appreciated. Thanks
You can use the transaction command, https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
Assuming you have the field ID extracted, you can do
index=* | transaction ID
This will automatically produce a field called duration, which is the time between the first and last event with the same ID
While transaction will work, it's very inefficient
This stats should show you what you're looking for (presuming the fields are already extracted):
(index=ndxA OR index=ndxB) ID=* ("ADD" OR "REMOVE")
| stats min(_time) as when_added max(_time) as when_removed by ID
| eval when_added=strftime(when_added,"%c"), when_removed(when_removed,"%c")
If you don't already have fields extracted, you'll need to modify thusly (remove the "\D^" in the regex if the ID value isn't at the end of the line):
(index=ndxA OR index=ndxB) ("ADD" OR "REMOVE")
| rex field=_raw "ID \s+:\s+(?<ID>\d+)\D^"
| stats min(_time) as when_added max(_time) as when_removed by ID
| eval when_added=strftime(when_added,"%c"), when_removed(when_removed,"%c")
I am trying to join 2 splunk queries. However in this case the common string between the 2 queries is not a predefined splunk field and is logged in a different manner. I have created the regex which individually identifies the string but when I try to combine using join, I do not get the result.
I have logs like this -
Logline 1 -
21-04-2019 11:01:02.001 server1 app1 1023456789 1205265352567565 1234567Z-1234-1234-1234-123456789123 Application Completed
Logline 2 -
21-04-2019 11:00:00.000 journey_ends server1 app1 1035625855585989 .....(lots of text) commonID:1234567Z-1234-1234-1234-123456789123 .....(lots of text) status(value) OK
the second Logline can be NOTOK as well
Logline 2 -
21-04-2019 11:00:00.000 journey_ends server1 app1 1035625855585989 .....(lots of text) commonID:1234567Z-1234-1234-1234-123456789123 .....(lots of text) status(value) NOTOK
I have tried multiple things but the best that I can come up with is -
index=test "journey_ends" | rex "status(value) (?<StatusType>[A-Z][A-Z]*)" | rex "commonID\:(?<commonID>[^\t]{37})" | table StatusType, commonID | join type=inner commonID [ search index=test "Application Completed" | rex "^(?:[^\t\n]*\t){7}(?P<commonID>[^\t]+)" | table _time, commonID] | chart count over StatusType by commonID
However the above query does not provide me the stats. In verbose mode, I can just see the events of query 1. Please note that the above 2 queries run correctly individually.
However currently I have to initially run the query to fetch the commonIDs from "Application Completed" logline and then in another query give the list of commonIDs found in the result first query as input and find the status value for each commonId from logline 2.
Expected Result (in a table):
StatusType commonID OK 1234567Z-1234-1234-1234-123456789123 NOTOK 1234567Z-1234-1234-1234-985625623541
Can you try the below query,
index=main
AND "Application Completed"
| rex "(?<common_id>[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+)"
| table _time, common_id
| join type=inner common_id [
search index=main
| rex "status\(value\)\s+(?<status>.+)$"
| rex "(?<common_id>[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+)"
| table status, common_id
]
Working with parameterizing through examples keyword in specflow creating an issue.
Following is my scenario and code to insert password in the Field:
Scenario Outline: Register Successfully
Given I am shown the Registration view
When I enter ComapnyName in the <CompanyName> field
And I enter UserName in the <UserName> field
And I enter Email in the <Email> field
And I enter Password in the <Password> field
And I enter ConfirmPassword in the <ConfirmPassword> field
And I choose to register my account
Then my user account is created
And I am navigated to my company dashboard
Examples:
| CompanyName | UserName | Email | Password | ConfirmPassword |
| XYZ | Salman Haider | salman.haider#gmail.com | FooBar#123 | FooBar#123 |
public void Password(string password, int n)
{
//Getting and Setting up the values in the Password Field
var passwords = Helper.Driver.FindElements(By.XPath(".//*[#name='password']")).ToList();
passwords[n].SendKeys(password);
Thread.Sleep(2000);
}
When it enters the password in the field and clicks on submit button shows a validation error that password should be 8 characters long,one capital and a special character required besides the password is all correct. However same code works working with parameterizing with table.
Scenario: Register Successfully
Given I am shown the Registration view
When I enter credientials
| CompanyName | UserName | Email | Password | ConfirmPassword |
| Seven | Mobeen | usama.rafiq#gmail.com | FooBar#123 | FooBar#123 |
And I choose to register my account
Then my user account is created
And I am navigated to my company dashboard
. But I need former method to work as I have multiple test data to enter.