Successfully scheduled PushNotification in UserMessageChanelMap LINK_MORE_ACCOUNTS |eval fields=split(raw,"|") | eval messageKey =mvindex(fields,2) |eval num=mvindex(fields,5) | table messageKey_, num | eval scheduledDate = replace(num, "scheduledDate:", "") | eval messageKey = replace(messageKey_,"messageKey:","") | eval newTS=strftime(strptime(scheduledDate, "%a %b %d %H:%M:%S %Z %Y"), "%Y-%m-%d %H:%M:%S") | stats count by newTS,messageKey | stats min(newTS) as fromScheduledDate, max(newTS) as toScheduledDate | appendcols [search ( ("Could not send PushNotification") messageKey:LINK_MORE_ACCOUNTS NOT ("*|reason:Failed to Deliver|") | extract pairdelim="|" kvdelim=":" | table userId,userMessageId,messageKey| stats count by userId,userMessageId,messageKey | table userId,userMessageId, messageKey | stats count as pushFallOffPoints by messageKey ]
Here I want to run my SubQuery with in the time range of fromScehduledDate - toScehduledDate. I was trying to pass these dates to earliest and latest but that did not work. Help is appreciated .
Subsearches run first so there is no such thing as passing fields into a subsearch. A subsearch, however, can return fields to the main search using the format or return command. Run the subsearch by itself to see what exactly it returns and to verify the returned string makes sense when combined with the main search.
I was able to figure out the solution
( [ search Successfully scheduled PushNotification in LINK_MORE_ACCOUNTS |eval fields=split(raw,"|") | eval messageKey =mvindex(fields,2) |eval num=mvindex(fields,5) | table messageKey_, num | eval scheduledDate = replace(num, "scheduledDate:", "") | eval messageKey = replace(messageKey_,"messageKey:","") | eval newTS=strptime(scheduledDate, "%a %b %d %H:%M:%S %Z %Y") | stats count by newTS,messageKey | stats min(newTS) as earliest | return earliest ]
, [ search Successfully scheduled PushNotification in UserMessageChanelMap LINK_MORE_ACCOUNTS |eval fields=split(raw,"|") | eval messageKey =mvindex(fields,2) |eval num=mvindex(fields,5) | table messageKey_, num | eval scheduledDate = replace(num, "scheduledDate:", "") | eval messageKey = replace(messageKey_,"messageKey:","") | eval newTS=strptime(scheduledDate, "%a %b %d %H:%M:%S %Z %Y") | stats count by newTS,messageKey | stats max(newTS) as latest | return latest] )
( container_name="ace-service") ("Could not send PushNotification") messageKey:LINK_MORE_ACCOUNTS NOT ("*|reason:Failed to Deliver|") | extract pairdelim="|" kvdelim=":" | table userId,userMessageId,messageKey| stats count by userId,userMessageId,messageKey | table userId,userMessageId, messageKey | stats count as pushFallOffPoints by messageKey
Related
I have data that is displayed in Splunk query as below: (data for 3 column displayed in 3 separate rows)
|Date |Tier 1|Tier 2|Tier 3
|1/1/2022|33|BLANK|BLANK
|1/1/2022|BLANK |56|BLANK
|1/1/2022|BLANK|BLANK|121
|1/2/2022|21|BLANK|BLANK
|1/2/2022|BLANK |78|BLANK
|1/2/2022|BLANK|BLANK|543
I need to display data as follows in the table
|Date |Tier 1|Tier 2|Tier 3
|1/1/2022|33|56|121
|1/2/2022|21|78|543
Here's a small snippet of my query
|eval Tier1=(StatusCode>400)
|eval Tier2=(StatusCode>499)
|eval Tier3=(StatusCode>500)
| fields Date Tier1 Tier2 Tier3
| sort Date
To regroups the results, use the stats command.
| eval Tier1=(StatusCode>400)
| eval Tier2=(StatusCode>499)
| eval Tier3=(StatusCode>500)
| fields Date Tier1 Tier2 Tier3
| stats values(*) as * by Date
I am new to Splunk queries and I am not able to figure out how to extract multiple values from same event. I am working with events that look like this :
...
starting count: 12345678
ending count: 12347890
total time: ...
....
I want to extract the values associated with "starting count" and "ending count" and create a chart comparing these two values.
So far I am able to extract one set of value using this query
rex field=_raw "starting count: (?<StartCount>\d+)"
But how can I extract two different values and compare? Thanks in advance.
If you are going to make a chart, does that means you have multiple events and each event contains a starting count and ending count?
If so, extract the starting count and the ending count with a rex (just like you suggested) and then eval the difference. Somthing like:
| rex field=_raw "starting count: (?<StartCount>\d+)"
| rex field=_raw "ending count: (?<EndCount>\d+)"
| eval difference=EndCount-StartCount
| table _time StartCount EndCount difference
Here is a "run anywhere" version that makes it's own test data:
| makeresults count=2
| streamstats count
| eval _raw=if(count=1,"starting count: 12345678 ending count: 12346789 total time: ...","starting count: 12347890 ending count: 12349999 total time: ...")
| eval _time=if(count=1,_time-1,_time)
| rex field=_raw "starting count: (?<StartCount>\d+)"
| rex field=_raw "ending count: (?<EndCount>\d+)"
| eval difference=EndCount-StartCount
| table _time StartCount EndCount difference
I want to display a table in my dashboard with 3 columns called Search_Text, Count, Count_Percentage
How do I formulate the Splunk query so that I can display 2 search query and their result count and percentage in Table format.
Example,
Heading Count Count_Percentage
SearchText1 4 40
SearchText2 6 60
The below query will create a column named SearchText1 which is not what I want:
index=something "SearchText1" | stats count AS SearchText1
Put each query after the first in an append and set the Heading field as desired. Then use the stats command to count the results and group them by Heading. Finally, get the total and compute percentages.
index=foo "SearchText1" | eval Heading="SearchText1"
| append [ | search index=bar "SearchText2" | eval Heading="SearchText2" ]
| stats count as Count by Heading
| eventstats sum(Count) as Total
| eval Count_Percentage=(Count*100/Total)
| table Heading Count Count_Percentage
Showing the absence of search results is a little tricky and changes the above query a bit. Each search will need its own stats command and an appendpipe command to detect the lack of results and create some. Try this:
index=main "SearchText1"
| eval Heading="SearchText1"
| stats count as Count by Heading
| appendpipe
[ stats count
| eval Heading="SearchText1", Count=0
| where count=0
| fields - count]
| append
[| search index=main "SearchText2"
| eval Heading="SearchText2"
| stats count as Count by Heading
| appendpipe
[ stats count
| eval Heading="SearchText2", Count=0
| where count=0
| fields - count] ]
| eventstats sum(Count) as Total
| eval Count_Percentage=(Count*100/Total)
| table Heading Count Count_Percentage
I am trying to merge Splunk search query with a database query result set. Basically I have a Splunk dbxquery 1 which returns userid and email from database as follows for a particualr user id:
| dbxquery connection="CMDB009" query="SELECT dra.value, z.email FROM DRES_PRINTABLE z, DRES.CREDENTIAL bc, DRES.CRATTR dra WHERE z.userid = bc.drid AND z.drid = dra.dredid AND dra.value in ('xy67383') "
Above query outputs
VALUE EMAIL
xv67383 xyz#test.com
Another query is a Splunk query 2 that provides the user ids as follows:
index=index1 (host=xyz OR host=ABC) earliest=-20m#m
| rex field=_raw "samlToken\=(?>user>.+?):"
| join type=outer usetime=true earlier=true username,host,user
[search index=index1 source="/logs/occurences.log" SERVER_SERVER_CONNECT NOT AMP earliest=#w0
| rex field=_raw "Origusername\((?>username>.+?)\)"
| rex field=username"^(?<user>,+?)\:"
| rename _time as epoch1]
| "stats count by user | sort -count | table user
This above query 2 returns a column called user but not email.
What I want to do is add a column called email from splunk dbxquery 1 for all matching rows by userid in output of query 1. Basically want to add email as additional field for each user returned in query 2.
What I tried so far is this but it does not give me any results. Any help would be appreciated.
index=index1 (host=xyz OR host=ABC) earliest=-20m#m
| rex field=_raw "samlToken\=(?>user>.+?):"
| join type=outer usetime=true earlier=true username,host,user
[search index=index1 source="/logs/occurences.log" SERVER_SERVER_CONNECT NOT AMP earliest=#w0
| rex field=_raw "Origusername\((?>username>.+?)\)"
| rex field=username"^(?<user>,+?)\:"
| rename _time as epoch1]
| "stats count by user | sort -count
| table user
| map search="| | dbxquery connection=\"CMDB009\" query=\"SELECT dra.value, z.email FROM DRES_PRINTABLE z, DRES.CREDENTIAL bc, DRES.CRATTR dra WHERE z.userid = bc.drid AND z.drid = dra.dredid AND dra.value in ('$user'):\""
Replace $user with $user$ in the map command. Splunk uses a $ on each end of a token.
The username field is not available at the end of the query because the stats command stripped it out. The only fields available after stats are the ones mentioned in the command (user and count in this case). To make the username field available, add it to the stats command. That may, however, change your results.
| rex field=_raw "samlToken\=(?<user>.+?):"
| join type=outer usetime=true earlier=true username,host,user
[search index=index1 source="/logs/occurences.log" SERVER_SERVER_CONNECT NOT AMP earliest=#w0
| rex field=_raw "Origusername\((?<username>.+?)\)"
| rex field=username"^(?<user>,+?)\:"
| rename _time as epoch1]
| stats count by user, username | sort -count
| table user, username
| map search="| dbxquery connection=\"CMDB009\" query=\"SELECT dra.value, z.email FROM DRES_PRINTABLE z, DRES.CREDENTIAL bc, DRES.CRATTR dra WHERE z.userid = bc.drid AND z.drid = dra.dredid AND dra.value in ('$user'):\""```
I have below query which returns %CPU of each Computer by every 1 hour
Query
Perf
| where TimeGenerated > ago(1h)
| where CounterName == "% Processor Time"
| where Computer endswith "XYZ"
| summarize avg(CounterValue) by bin(TimeGenerated, 1h), Computer
Result
I want to append Dummy row for each-row in the table with fixed value except TimeGenerated should be same as previous row in the table. Expecting result should look something like this.
Expected Result
you could try something like this (note that you'll need to explicitly order your records as you wish):
let T =
Perf
| where TimeGenerated > ago(1h)
| where CounterName == "% Processor Time"
| where Computer endswith "XYZ"
| summarize avg(CounterValue) by bin(TimeGenerated, 1h), Computer
;
T
| union (T | extend Computer = "Dummy", avg_CounterValue = 10)
| order by TimeGenerated