I have a search query like below.
index = abc_dev sourcetype = data RequestorSystem = * Description="Request Receieved from Consumer Service"
OR Description="Total Time taken in sending response"
| dedup TId
| eval InBoundCount=if(Description="Request Receieved from Consumer Service",1,0)
| eval OutBoundCount=if(Description="Total Time taken in sending response",1,0)
| stats sum(InBoundCount) as "Inbound Count",sum(OutBoundCount) as "Outbound Count"
I am not sure why inbound count is always showing as 0, outbound count works perfectly
There is a typo in your eval InBoundCount=... Received is spelled wrong, and if your events have it spelled correctly it won't match!
If that's not the case:
try running the query for both counts separately and make sure you are getting events. Also, posting some example input events will make our answer be more precise.
Splunk queries are joined by an implicit AND which means that your OR needs to either be included in parenthesis or (if you are using Splunk 6.6 or newer) use the IN keyword like so:
index = abc_dev sourcetype = data RequestorSystem = *
Description IN ("Request Receieved from Consumer Service", "Total Time taken in sending response")
Using IN is more portable in case you want add other strings later on. With some tweaks, you could even use a variation of stats count by Description with this.
Related
I am new to Splunk. My goal is to optimize the API call, since that particular API method is taking more than 5 minutes to execute.
In Splunk I searched using context ID, I got all the functions and sub functions call by main API call function for that particular execution. Now I want to figure what which sub function took the maximum time. In Splunk in left side, in the list of fields, I see field name CallStartUtcTime (e.g. "2021-02-12T20:17:42.3308285Z") and CallEndUtcTime (e.g. "2021-02-12T20:18:02.3702937Z"). In search how can I write a function which will give me difference between these two times. I google and found we can use eval() function but for me its returning null value.
Additional Info:
search:
clicked on "create table view" and checked start, end and diff fields in the left side fields list. but all three are coming as null
not sure what wrong I am doing. I want to find out the time taken by each function.
Splunk cannot compare timestamps in string form. They must be converted to epoch (integer) form, first. Use the strptime() function for that.
...
| eval start = strptime(CallStartUtcTime, "%Y-%m-%dT%H:%M:%S.%7N%Z")
| eval end = strptime(CallEndUtcTime, "%Y-%m-%dT%H:%M:%S.%7N%Z")
| eval diff = end - start
...
I have a server with 2 APIs: /migrate/start and /migrate/end
For each request, I log the userID (field usrid="") of the user using my service to be migrated and the api called (field api="").
Users call /migrate/start, then call /migrate/end. I would like to write a slunk query to list the userIDs that are being migrated, i.e. those that called /migrated/start but have yet to call /migrate/end. How would I write that query?
Thank you
Assuming you have only 2 api calls (start/end) in the logs, you can use a stats command to do this.
| your_search
| stats values(api) as api by usrid
| where api!="/migrate/end"
This clubs all api calls done per user and removes the ones which have called /migrate/end
The general method is to get all the start and end events and match them up by user ID. Take the most recent event for each user and throw out the ones that are "migrate/end". What's left are all the in-progress migrations. Something like this:
index = foo (api="/migrate/start" OR api="/migrate/end")
| stats latest(api) by usrid
| where api="/migrate/start"
I have events something like:
{
taskId:5a6d
category:created
when:1517131461
...
}
{
taskId:5a6d
category:started
when:1517131609
...
}
{
taskId:5a6d
category:ended
when:1517134657
...
}
For each task (task id is same), we have events when it is created / started / ended.
I'd like to search if there is any task never be processed (task is created but not started). Here is my search statement:
index=XXX sourcetype=XXX category=created | search NOT [search index=XXX sourcetype=XXX category=started | fields taskId]
This statement works correctly if the time range is less than 48 hours.
If the time range is set to, for example, latest 7 days, the above search statement works incorrectly. It returns a lot of tasks (category=created) which means these tasks are never processed. Actually, they are processed, I can search the events (category=started) by taskId.
I have no idea what's wrong with it. it seems subsearch doesn't return correct results in the range of main search.
This will be hard to debug without seeing your exact data.
To make it simpler, you can try something like this to do everything with one search:
index=XXX sourcetype=XXX category=created
| eventstats values(category) as categories by taskId
| search categories = created NOT categories = started
I am using the Google Analytics API to automatically fetch stats from eccomerce sites. I need to query a dynamic segment with the sessions that spent more than 0 and less than 50USD in ecommerce.
I tried this:
segment=users::condition::perSession::ga:transactionRevenue>0;users::condition::perSession::ga:transactionRevenue<50
But it looks like the API is ignoring the ga:transactionRevenue < 50 condition, returning all the sessions with ga:transactionRevenue>0. I tried some other metrics in the > 0 condition ( like uniquePurchases , ga:transactionTax...) with the same results.
The fun part is that if I use transactionShipping it works OK ( returning the sessions with purchases including shipping costs and with less than 50USD revenue):
segment=users::condition::perSession::ga:transactionShipping >0;users::condition::perSession::ga:transactionRevenue<50
But this is not OK, because I need to include the free shippingtransactions on the segment.
Anybody nows a workarround for this?
Check how you are processing the segment for sending to the API.
The rule is that you should escape a semicolon in a value expression (\;). I suspect you are escaping the semicolon between the conditions by accident because you encode/escape everything after the 'segment=' like segment=<encoded/escaped segment definition>
What you need to to send segment=<encoded/escaped condition1>;<encoded/escaped condition2>
I am trying to query using Rest API on splunk with the following:
curl -u "<user>":"<pass>" -k https://splunkserver.com:8089/services/search/jobs/export -d'search=search index%3d"<index_name" sourcetype%3d"access_combined_wcookie" starttime%3d06/02/2013:0:0:0 endtime%3d06/10/2013:0:0:0 uri_path%3d"<uri1>" OR uri_path%3d"<uri2>" user!%3d"-" referer!%3d"-" | eval Time %3d request_time_length%2f1000000 | stats stdev%28Time%29 as stdev, mean%28Time%29 as mean, count%28uri_path%29 as count by uri_path'
However I do not get the computed mean and stdev, I only see count. How can I add the mean and stdev?
The query looks about right. I tried a similar query on my end it seemed to give me all 3 aggregates. Only thing I can think of is to make sure you have events that match the search criteria. It could be your time boundaries. Try expanding those or maybe removing one/both of them to see if you get any data for mean and stdev.