I wanted to print number of lines for an event in Splunk after querying it
Ex: index=* host=* source=*application* this query is giving all the events but I want to print/get number of lines for each and every event. I tried with len() of Splunk query but it didnt work for me
Actually every event contains 1 line only.
Even though size of the event is large but it is 1 json response only, so its treating complete response as 1 line response.
we can query based on characters
index=index-source host=hs* source=*appname* "TXNEnd" "SUCCESS" NOT "truncated" |where len(_raw) > 3000 |stats count by methodPath
Related
Have the following query index=app (splunk_server_group=bex OR splunk_server_group=default) sourcetype=rpm-web* host=rpm-web* "CACHE_NAME=RATE_SHOPPER" method = GET | stats count(eval(searchmatch("true))) as Hit, count(eval(searchmatch("found=false"))) as Miss
Need to make a pie chart of two values "Hit and Miss rates"
The field where it is possible to distinguish the values is Message=[CACHE_NAME=RATE_SHOPPER some_other_strings method=GET found=false]. or found can be true
With out knowing the structure of your data it's harder to say what exactly you need todo but,
Pie charts is a single data series so you need to use a transforming command to generate a single series. PieChart Doc
if you have a field that denotes a hit or miss (You could use an Eval statement to create one if you don't already have this) you can use it to create the single series like this.
Lets say this field is called result.
|stats count by result
Here is a link to the documentation for the Eval Command
Good luck, hope you can get the results your looking for
Since you seem to be concerned only about whether "found" equals either "hit" or "miss", try this:
index=app (splunk_server_group=bex OR splunk_server_group=default) sourcetype=rpm-web* host=rpm-web* "CACHE_NAME=RATE_SHOPPER" method=GET found IN("hit","miss")
| stats count by found
Pie charts require a single field so it's not possible to graph the Hit and Miss fields in a pie. However, if the two fields are combined into one field with two possible values, then it will work.
index=app (splunk_server_group=bex OR splunk_server_group=default) sourcetype=rpm-web* host=rpm-web* "CACHE_NAME=RATE_SHOPPER" method = GET
| eval result=if(searchmatch("found=true"), "Hit", "Miss")
| stats count by result
I am new to Splunk. My goal is to optimize the API call, since that particular API method is taking more than 5 minutes to execute.
In Splunk I searched using context ID, I got all the functions and sub functions call by main API call function for that particular execution. Now I want to figure what which sub function took the maximum time. In Splunk in left side, in the list of fields, I see field name CallStartUtcTime (e.g. "2021-02-12T20:17:42.3308285Z") and CallEndUtcTime (e.g. "2021-02-12T20:18:02.3702937Z"). In search how can I write a function which will give me difference between these two times. I google and found we can use eval() function but for me its returning null value.
Additional Info:
search:
clicked on "create table view" and checked start, end and diff fields in the left side fields list. but all three are coming as null
not sure what wrong I am doing. I want to find out the time taken by each function.
Splunk cannot compare timestamps in string form. They must be converted to epoch (integer) form, first. Use the strptime() function for that.
...
| eval start = strptime(CallStartUtcTime, "%Y-%m-%dT%H:%M:%S.%7N%Z")
| eval end = strptime(CallEndUtcTime, "%Y-%m-%dT%H:%M:%S.%7N%Z")
| eval diff = end - start
...
I receive exchange rate from an external web service and I log the response received like below (note both line contain data from a single response):
com.test.Currency#366c1a1e[Id=<Null>,Code=<Null>,Feedcode=Gbparslite,Rate=<Null>,Percentaqechangetrigger=<Null>,Bid=93.4269,Offer=93.43987,Mustinvertprice=False],
com.test.Currency#54acb93a[Id=<Null>,Code=<Null>,Feedcode=Gbphkdlite,Rate=<Null>,Percentaqechangetrigger=<Null>,Bid=10.04629,Offer=10.04763,Mustinvertprice=False],
I want to set up an alert which triggers when the last x (x=5) values received did not changed.
Assuming you're looking to alert when a particular field doesn't change after 5 events, you can try the following.
index=data | head 5 | stats dc(Bid) as dv
Then alert if dv equals 1. dc(Bid) calculates the number of unique values of Bid, in this case, over the last 5 events. If there is no difference, they will be 1. If there are multiple values, dc(Bid) will be greater than 1
I need to write a query using the VerisonOne API to return all the time (effort) recorded against tasks under a specific Epic. My goal is to have the query be a one line statement I can enter into the address bar of my browser.
I've tried the following using the rest-1.v1 query:
http://<>/VersionOne/rest-1.v1/Data/Epic?sel=Epic.ID.Number,SubsAndDown:PrimaryWorkitem[AssetState=%27Closed%27].Actuals.Value.#Sum&where=Epic.ID.Number=%27E-06593%27
http://<>/VersionOne/rest-1.v1/Data/Story?sel=Story.ID.Number,Story.Name,SuperAndUp.Number,SuperAndUp.Actuals.#Sum&where=Story.SuperAndUp.ID.Number=%27E-06593%27
Below is the output from the first query above. (similar results from the second query)
Assets total="1" pageSize="2147483647" pageStart="0"
Asset href="/VersionOne/rest-1.v1/Data/Epic/1481442" id="Epic:1481442"
Attribute name="SubsAndDown:PrimaryWorkitem[AssetState='Closed'].Actuals.Value.#Sum"/
/Asset
/Assets
Actual results were no hours returned. I expected to have ~4,320 hours returned (the total under the Epic E-06593) after the ...#Sum"/
On your first query
http://<>/VersionOne/rest-1.v1/Data/Epic?sel=Epic.ID.Number,SubsAndDown:PrimaryWorkitem[AssetState=%27Closed%27].Actuals.Value.#Sum&where=Epic.ID.Number=%27E-06593%27,
If you change to AssetState!=Closed then you will get results. Beware there could be another AssetState that might mess with your total hours.
You might want filter down to AssetState= "64" or "Active".
See here for https://community.versionone.com/VersionOne_Connect/Developer_Library/Getting_Started/Platform_Concepts/Asset_State
I have a search query like below.
index = abc_dev sourcetype = data RequestorSystem = * Description="Request Receieved from Consumer Service"
OR Description="Total Time taken in sending response"
| dedup TId
| eval InBoundCount=if(Description="Request Receieved from Consumer Service",1,0)
| eval OutBoundCount=if(Description="Total Time taken in sending response",1,0)
| stats sum(InBoundCount) as "Inbound Count",sum(OutBoundCount) as "Outbound Count"
I am not sure why inbound count is always showing as 0, outbound count works perfectly
There is a typo in your eval InBoundCount=... Received is spelled wrong, and if your events have it spelled correctly it won't match!
If that's not the case:
try running the query for both counts separately and make sure you are getting events. Also, posting some example input events will make our answer be more precise.
Splunk queries are joined by an implicit AND which means that your OR needs to either be included in parenthesis or (if you are using Splunk 6.6 or newer) use the IN keyword like so:
index = abc_dev sourcetype = data RequestorSystem = *
Description IN ("Request Receieved from Consumer Service", "Total Time taken in sending response")
Using IN is more portable in case you want add other strings later on. With some tweaks, you could even use a variation of stats count by Description with this.