11/19/2023 0 Comments Splunk transaction same event![]() ![]() Where as I am expecting a list of Platforms and the amount of errors that are related to the platform. I have tried the latest answer and got the following result: Query 1: 22:01:10,065 ProcessFlowManager INFO processflowmgr.ProcessFlowManagerImpl - Discovery run, 2021102522011000 started with profile BD_L2_Windows [ search index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* So far I can think of the following but this still shows me the same results as in the table shown above (counts of discovery runs per platform instead of counts of platforms that have at least one error): index="myIndex" "started with profile" BD_L* I have not yet found anything similair to my question and hope anyone here can help me out. I need to find some way to return true or maybe one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. This should result in the following results: Platform | Amount Windows run has 0 errors (none found in query 2).So lets say we have the following simulation: And our common value is the id of the transaction. Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. With this example, we want to check the duration between the log L1 and the log L4. Custom alert actions are a user-friendly implementation of the alert-triggered scripts available in previous versions. ![]() Custom alert actions are available in Splunk platform version 6.3.0 and later. For example, I want to see if a line in an indexed log file contains the word Error between the hours of 9am and 4pm from the 25 days worth of logs I have indexed. Use the Splunk Add-on for ServiceNow to create custom alert actions that automatically create incidents and events or update existing incidents. Using RUNID I can look for errors ( query two): index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* I am trying to search for an event that happens in a specific time range in Splunk but I want that search to encompass all of the data I have indexed which covers a wide date range. RUNID is what I need to use in a second search when looking for errors: | rex "Discovery run, (?.+) started with profile" Using the following piece of code I can extract RUNID from the events. This is a table with the amount of Discovery runs per platform: The above query will return a list of events containing the raw data above and will result in the following table. The events found from above query contains the following (raw) : Discovery run, 2021101306351355 started with profile BD_L2_Windows | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") ![]() To make things more clear I have the following search query ( query one): index="myIndex" "started with profile" BD_L* Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform. In Splunk, I am looking for logs that say "started with profile: " and retrieve the profile name from found events. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |