I have a log which has below lines in it:
"Results":{"Elapsed":"0","Message":"No of Application to Obsolete in Teradata : 4","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application Asset in Teradata : 1696","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application count from SPAM : 1694","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":" Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
I want the output to have the below fields like a summary and not like in 4 columns.
ExecutionDate Host Summary
02-24-2021 Production No of Application to Obsolete in Teradata : 4
Total Application Asset in Teradata : 1696
Total Application count from SPAM : 1694
Application/s to Obsolete in Teradata : [PA00007618,
PA00007617, PA00007619, PA00007620]
I have built below query but it's only giving me one record :
ExecutionDate Host Total Application count from SPAM : 1694
index=hdt sourcetype=Teradata_SPAM_logs | fields -_raw
| where match(_raw, "Host_cdc") and (match(_raw,"Total\sApplication\scount\sfrom\sSPAM\s*")
OR match(_raw,"Total\sApplication\sAsset\sin\sTeradata\s*")
OR match(_raw,"No\sof\sApplication\sto\sObsolete\sin\sTeradata\s*")
OR match(_raw,"List\sof\sApplications\sin\sTeradata\sto\sbe\smarked*")
)
| rex "(?<Summary>\"Message\":(.*\w+)\s:.*)"
| rex "(?<Host>\"Host\":(.*\",))"
| rex "(?<ExecutionDate>\d{4}\-\d{2}\-\d{2})"
| rex field=Summary mode=sed "s/\"Message\":\"/ /"
| rex field=Summary mode=sed "s/\"TraceLevel.*/ /"
| rex field=Summary mode=sed "s/\".*$//"
| rex field=Host mode=sed "s/\"Channel.*/ /"
| rex field=Host mode=sed "s/\"Host\":\"/ /"
| rex field=Host mode=sed "s/\/.*/ /"
| eval Host = replace(Host,"Host_cdc.cdc.CRAB.com", "PRODUCTION")
| eval Host = replace(Host,"Host_DEV.cdc.CRAB.com", "PROFILING")
| eval Host = replace(Host,"Host_PP.cdc.CRAB.com", "VALIDATION")
| stats values(Summary) as Summary by ExecutionDate, Host
| where isnotnull(Summary)
Can anyone tell me where is the problem here?
Based on your simplyfied example (i of course dont have all your other data so cannot run your full query but using the data you provided
"Results":{"Elapsed":"0","Message":"No of Application to Obsolete in Teradata : 4","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application Asset in Teradata : 1696","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application count from SPAM : 1694","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":" Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
and the query
source="stack.csv" host="localhost" index="stack"
| rex "Message\":\"(?<message_value>[^\"]+)\""
| table message_value
i get the output
Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]
Total Application count from SPAM : 1694
Total Application Asset in Teradata : 1696
No of Application to Obsolete in Teradata : 4
you should then be able to just put that in your stats output with the vairable name message_value
This should work based on your example input. Of course, you may need to fiddle with it to adapt it to your event stream.
| makeresults
| eval myevent="\"Results\":{\"Elapsed\":\"0\",\"Message\":\"No of Application to Obsolete in Teradata : 4\",\"TraceLevel\":\"INFO\"},\"Security\":{\"Vendor\":\"CRAB\"}}
\"Results\":{\"Elapsed\":\"0\",\"Message\":\"Total Application Asset in Teradata : 1696\",\"TraceLevel\":\"INFO\"},\"Security\":{\"Vendor\":\"CRAB\"}}
\"Results\":{\"Elapsed\":\"0\",\"Message\":\"Total Application count from SPAM : 1694\",\"TraceLevel\":\"INFO\"},\"Security\":{\"Vendor\":\"CRAB\"}}
\"Results\":{\"Elapsed\":\"0\",\"Message\":\"Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]\",\"TraceLevel\":\"INFO\"},\"Security\":{\"Vendor\":\"CRAB\"}}"
| rex mode=sed field=myevent "s/([\r\n]+)/##LF##/g" | makemv myevent delim="##LF##" | rename myevent as myevent_new | mvexpand myevent_new
| rex field=myevent_new "Results\":(?<json_event>.*)"
| spath input=json_event
| eval ExecutionDate=strftime(now(),"%d-%m-%Y")
| eval Host="Production"
| stats values(Message) AS Summary by ExecutionDate Host
And the output:
Related
I have used this query, but I cannot get the time chart to show the trend of the CPU. appears to be only showing the current cpu. my objective is to show the trend from each computer(host)
Telemetry_system
| where hostname_s contains "computer-A"
| where TimeGenerated > ago(5m)
| summarize
by
hostname,
callBackUrl,
cpu_d
| summarize Aggregatedcpu= avg(cpu_d) by hostname, callBackUrl
| render timechart
If I understand your intention correctly, try this:
Telemetry_system
| where hostname_s contains "computer-A"
| where TimeGenerated > ago(5m)
| summarize Aggregatedcpu = avg(cpu_d) by strcat(hostname, "_", callBackUrl), bin(TimeGenerated, 1s)
| render timechart
I have a Splunk Query to fetch top 5 API based on error percent. Below is the query for it
index=myaccount sourcetype=myaccountweb-master Response status=* url=* |
chart count over url by status | addtotals
| foreach * [
| eval <<FIELD>> = if('<<FIELD>>'==0,"-",'<<FIELD>>')
| eval p_<<MATCHSTR>> =
if(isnull(tonumber('<<FIELD>>')),'<<FIELD>>',round(('<<FIELD>>'/Total)*100,2))
| eval p_<<MATCHSTR>> = if('p_<<MATCHSTR>>'<1, "< 1",'p_<<MATCHSTR>>')
| eval <<FIELD>> = if("<<FIELD>>"=="Total",'<<FIELD>>', case('<<FIELD>>'=="-","-
",tonumber('<<FIELD>>')>1,'<<FIELD>>'." (".p_<<MATCHSTR>>."%)",1=1,'<<FIELD>>')) ]
| fields - p_* | eval url=lower(url) | rex mode=sed field=url
"s/account\/(\d+)\//account\/me\//" | rex mode=sed field=url
"s/\d+account.\w+|\d+fm|\d+fs\d+/*/g" | rex mode=sed field=url "s/..:..:..:..:..:../*/" | rex
mode=sed field=url "s/accounts\?ip=.*/accounts?ip=__/"| rex mode=sed field=url "s/[^\/]
{30,}/*/g" | rex mode=sed field=url "s/(\d|\.){8,}/*/g"
| rex field="500" "\d+\s\((?<perc>.*)%\)" | sort - perc | where perc>10 | head 5
I have URL's where userID comes in between and to replace those userID with * I have used rex commands and it works replacing the userID as *
But the issue is it counts them separately since userID differs for each hit made on the URL. Because of this my top5 API hits output differs.
Eg URL:/account/user/JHWERTYQMNVSJAIP/email where JHWERTYQMNVSJAIP is userID and its replaced by *
I am getting below output for the query
url 200 201 204 400 401 500
/account/user/*/email - - - - - 5 (100.00%)
/account/user/*/email - - - - - 4 (100.00%)
/account/user/*/email - - - - - 4 (100.00%)
Whereas all these URLs are actually one and the expected output should be like adding 5+4+4 and displaying once like this
url 200 201 204 400 401 500
/account/user/*/email - - - - - 13 (100.00%)
Since userID differs for each one, it take count separately. Any help on this would be appreciated. Thanks in advance
You have the right idea, but to get the numbers right normalization of the URL must be done before the numbers are calculated by the chart command.
I would like to use Presto API to get number of active workers, similar to the info available in PrestoUI.
I want to use the an API similar to (who don't contain this info):
https://presto/v1/status
https://presto/v1/jmx
AFAIK in latest Trino (formerly Presto SQL) versions the workers cannot be introspected from outside of the cluster, but you can get the listing with SQL:
presto> SELECT * FROM system.runtime.nodes;
node_id | http_uri | node_version | coordinator | state
---------------+------------------------+------------------+-------------+--------
presto-worker | http://172.20.0.3:8081 | 347-137-g4945abe | false | active
presto-master | http://172.20.0.4:8080 | 347-137-g4945abe | true | active
(2 rows)
I am new to Splunk dashboard. I need some help with this kind of data.
2020-09-22 11:14:33.328+0100 org{abc} INFO 3492 --- [hTaskExecutor-1] c.j.a.i.p.v.b.l.ReadFileStepListener : [] read-feed-file-step ended with status exitCode=COMPLETED;exitDescription= with compositeReadCount 1 and other count status as: BatchStatus(readCount=198, multiEntityAccountCount=0, readMultiAccountEntityAdjustment=0, accountFilterSkipCount=7, broadRidgeFilterSkipCount=189, writeCount=2, taskCreationCount=4)
I wanted to have statistics in a dashboard showing all the integer values in the above log.
Edit 1:
I tried this but not working.
index=abc xyz| rex field=string .*readCount=(?P<readCount>\d+) | table readCount
See if this run-anywhere example helps.
| makeresults
| eval _raw="2020-09-22 11:14:33.328+0100 org{abc} INFO 3492 --- [hTaskExecutor-1] c.j.a.i.p.v.b.l.ReadFileStepListener : [] read-feed-file-step ended with status exitCode=COMPLETED;exitDescription= with compositeReadCount 1 and other count status as: BatchStatus(readCount=198, multiEntityAccountCount=0, readMultiAccountEntityAdjustment=0, accountFilterSkipCount=7, broadRidgeFilterSkipCount=189, writeCount=2, taskCreationCount=4)"
`comment("Everything above just sets up test data")`
| extract kvdelim=",", pairdelim="="
| timechart span=1h max(*Count) as *Count
I solved this using
index=xyz |regex ".*fileName=(\s*([\S\s]+))" | rex field=string .*compositeReadCount=(?P<compositeReadCount>\d+) |regex ".*readCount=(?P<readCount>\d+)" | regex ".*multiEntityAccountCount=(?P<multiEntityAccountCount>\d+)" | regex ".*readMultiAccountEntityAdjustment=(?P<readMultiAccountEntityAdjustment>\d+)" | regex ".*accountFilterSkipCount=(?P<accountFilterSkipCount>\d+)" | regex ".*broadRidgeFilterSkipCount=(?P<broadRidgeFilterSkipCount>\d+)" | regex ".*writeCount=(?P<writeCount>\d+)" | regex ".*taskCreationCount=(?P<taskCreationCount>\d+)" | regex ".*status=(\s*([\S\s]+))" | table _time fileName compositeReadCount readCount multiEntityAccountCount readMultiAccountEntityAdjustment accountFilterSkipCount broadRidgeFilterSkipCount writeCount taskCreationCount status
I am new to splunk dashboard development, so far I am creating KPI's using just 'single value'.
I have three KPI's resulted 600, 250, 150
KPI 1 search expression - Result is 600 (example)
index=indexname kubernetes.container_name=tpt
MESSAGE = "Code request"
| spath output=message path=MESSAGE
| table _time message
| stats count as count1
KPI 2 search expression - Result is 250 (example)
index=indexname kubernetes.container_name=rsv
MESSAGE = "pin in email"
| spath output=message path=MESSAGE
| table _time message
| stats count as count2
KPI 3 search expression - Result is 150 (example)
index=indexname kubernetes.container_name=rsv
MESSAGE = "pin in sms"
| spath output=message path=MESSAGE
| table _time message
| stats count as count3
I have shown above KPI's as numbers in the dashboard. However I would like show a pie chart with 60%, 25% and 15% share for above numbers. What would be search expression to create this chart?
You could achieve it by making it as a single query, extracting the fields and appending it using splunk append, below is the queries
index=indexname kubernetes.container_name=tpt MESSAGE = "*Code request*"
| spath output=msg path=MESSAGE
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts
| append [search index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in email*"
| spath output=msg path=MESSAGE
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts
| append [search index=indexname kubernetes.container_name=rsv MESSAGE = "*pin in sms*"
| spath output=msg path=MESSAGE
| eval counts=case((msg="Code request" ,"count1",msg="pin in email" ,"count2",msg="pin in sms" ,"count3")
| stats count by counts ]]