Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About msarkaus
msarkaus
Explorer
Member since:
09-17-2022
yesterday
Community Statistics
| Posts | 31 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 09-17-2022 |
Activity Feed
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. 11 hours ago
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. yesterday
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. Monday
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. Monday
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. Thursday
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. Thursday
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. a week ago
- Posted Re: Showing Specific Values in a dashboard on Splunk Search. a week ago
- Posted Showing Specific Values in a dashboard on Splunk Search. a week ago
- Tagged Showing Specific Values in a dashboard on Splunk Search. a week ago
- Tagged Showing Specific Values in a dashboard on Splunk Search. a week ago
- Tagged Showing Specific Values in a dashboard on Splunk Search. a week ago
- Tagged Showing Specific Values in a dashboard on Splunk Search. a week ago
- Posted Re: extract field values on Dashboards & Visualizations. 03-04-2025 12:10 PM
- Got Karma for Re: extract field values. 02-27-2025 11:35 AM
- Posted Re: extract field values on Dashboards & Visualizations. 02-27-2025 11:34 AM
- Posted extract field values on Dashboards & Visualizations. 02-27-2025 11:04 AM
- Tagged extract field values on Dashboards & Visualizations. 02-27-2025 11:04 AM
- Tagged extract field values on Dashboards & Visualizations. 02-27-2025 11:04 AM
- Tagged extract field values on Dashboards & Visualizations. 02-27-2025 11:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11 hours ago
I have used the rex field=msgTxt but I keep getting errors. I'm sorry but I've worked on this for hours, and nothing seems to work. I'm still pretty new to Splunk and this is not in my skill-set. Maybe I should start over.. However, the results I'm looking for have slightly changed. The field or log that contains my results are located in msgTxt and I would like to pull both Latitude/Longitude values and the WarningMessages. The field has Latitude and Longitude listed twice. Most of the time the first set will return 0's and the log will always be in this format. The log looks like this: StandardizedAddressService SUCCEEDED - FROM: {"Address1":"63 Somewhere NW ST","Address2":null,"City":"OKLAND CITY","County":null,"State":"OK","ZipCode":"99999-1111","Latitude":97.999,"Longitude":-97.999,"IsStandardized":false,"AddressStandardizationStatus":0,"AddressStandardizationType":0} RESULT: 1 | {"AddressDetails":[{"AssociatedName":"","HouseNumber":"63","Predirection":"NW","StreetName":"Somewhere","Suffix":"ST","Postdirection":"","SuiteName":"","SuiteRange":"","City":"OKLAND CITY","CityAbbreviation":"OKLAND CITY","State":"OK","ZipCode":"99999","Zip4":"1111","County":"Oklahoma","CountyFips":"40109","CoastalCounty":0,"Latitude":97.999,"Longitude":-97.999"Fulladdress1":"63 Somewhere NW ST","Fulladdress2":"","HighRiseDefault":false}],"WarningMessages":[],"ErrorMessages":[],"GeoErrorMessages":[],"Succeeded":true,"ErrorMessage":null} I'm hoping to see the following results: Latitude Longitude Latitude Longitude WarningMessages 99.2541 -25.214 99.254 -25.214 NULL 00.0000 -00.000 99.254 -21.218 NULL 00.0000 -00.000 00.000 -00.000 Error message with something The results for all of the phrases will be different and I will be searching through1000's of logs. If it's too much work to show both set of the Latitude/Longitude values, then the second set would work. Your help is greatly appreciated.. Thanks
... View more
yesterday
When I use | eval msgTxt= I get no results, but if I use | eval _raw it returns the requested data, but it repeats the same values. index="cif" appEnvrnNam="Production" msgTxt="StandardizedAddressService SUCCEEDED*" | eval msgTxt="StandardizedAddressService SUCCEEDED - FROM: {\"StandardizedAddressService\":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City\":\"GREEN\",\"County\":null,\"State\":\"WY\",\"ZipCode\":\"44444-9360\",\"Latitude\":null,\"Longitude\":null,\"IsStandardized\":false,\"AddressStandardizationStatus\":1,\"AddressStandardizationType\":1},\"RESULT\":1,\"AddressDetails\":[{\"AssociatedName\":\"\",\"HouseNumber\":\"123\",\"Predirection\":\"\",\"StreetName\":\"NAANNA SAND RD\",\"Suffix\":\"RD\",\"Postdirection\":\"\",\"SuiteName\":\"\",\"SuiteRange\":\"\",\"City\":\"GREEN\",\"CityAbbreviation\":\"GREEN\",\"State\":\"WY\",\"ZipCode\":\"44444\",\"Zip4\":\"9360\",\"County\":\"Warren\",\"CountyFips\":\"27\",\"CoastalCounty\":0,\"Latitude\":77.0999,\"Longitude\":-99.999,\"Fulladdress1\":\"123 NAANNA SAND RD\",\"Fulladdress2\":\"\",\"HighRiseDefault\":false}],\"WarningMessages\":[],\"ErrorMessages\":[],\"GeoErrorMessages\":[],\"Succeeded\":true,\"ErrorMessage\":null}" | rex "\"Latitude\"\s*:\s*(?<Latitude>-?\d+\.\d+)" | rex "\"Longitude\"\s*:\s*(?<Longitude>-?\d+\.\d+)" | rex "\"WarningMessages\"\s*:\s*\[\s*\"(?<WarningMessages>[^\"]*)" | table _time Latitude Longitude WarningMessages
... View more
Monday
I'm having issues getting this to work. I posted my search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not working. What am I doing wrong? Please help. thanks
... View more
Monday
So if I'm not to use | eval _raw="StandardizedAddres SUCCEEDED - FROM: {\"StandardizedAddres.................." Should I use | eval msgTxt="StandardizedAddres SUCCEEDED - FROM: {\"StandardizedAddres\":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City And do I not include the /?
... View more
Thursday
Scratch that first line.. Use this index="ifi" appEnvrnNam="ANY" msgTxt="Standardizess SUCCEEDED - FROM:*"
... View more
Thursday
index="ifi" appEnvrnNam="ANY" msgTxt="StandardizedAddress SUCCEEDED*" | eval _raw="Standardizedss SUCCEEDED - FROM: {\"Standardizedss \":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City\":\"GREEN\",\"County\":null,\"State\":\"WY\",\"ZipCode\":\"44444-9360\",\"Latitude\":null,\"Longitude\":null,\"IsStandardized\":true,\"AddressStandardization\":1,\"AddressStandardizationType\":0},\"RESULT\":1,\"AddressDetails\":[{\"AssociatedName\":\"\",\"HouseNumber\":\"123\",\"Predirection\":\"\",\"StreetName\":\"NAANNA SAND RD\",\"Suffix\":\"RD\",\"Postdirection\":\"\",\"SuiteName\":\"\",\"SuiteRange\":\"\",\"City\":\"GREEN\",\"CityAbbreviation\":\"GREEN\",\"State\":\"WY\",\"ZipCode\":\"44444\",\"Zip4\":\"9360\",\"County\":\"Warren\",\"CountyFips\":\"27\",\"CoastalCounty\":0,\"Latitude\":77.0999,\"Longitude\":-99.999,\"Fulladdress1\":\"123 NAANNA SAND RD\",\"Fulladdress2\":\"\",\"HighRiseDefault\":false}],\"WarningMessages\":[\"This mail requires a number or Apartment number.\"],\"ErrorMessages\":[],\"GeoErrorMessages\":[],\"Succeeded\":true,\"ErrorMessage\":null}" | rex "StandardizedAddres SUCCEEDED - FROM: (?<event>.*)" | spath input=event | rename AddressDetails{}.* as *, WarningMessages{} as WarningMessages | table Latitude Longitude WarningMessages
... View more
a week ago
Thank you it is working; however, it's repeating the same value. The search will be returning 1000's of logs each with a different value and some will not contain a warning message.
... View more
a week ago
I pleased to see your query is working; however, it's repeating the same values. Sorry, I did not explain that there will be 1000's of logs, each with a different value.
... View more
a week ago
Hello, I have this Splunk log that contains tons of quotes, commas, and other special characters. I’m trying to only pull the Latitude":77.0999, Longitude":-99.999 and from time to time there will be WarningMessages: This mail requires a number or Apartment number that I would like to capture in a dashboard. StandardizedAddres SUCCEEDED - FROM: {"Address1":"123 NAANNA SAND RD","Address2":"","City":”GREEN","County":null,"State":"WY","ZipCode":"44444-9360","Latitude":null,"Longitude":null,"IsStandardized":true,"AddressStatus":1,"AddressStandardizationType":0} RESULT: 1 | {"AddressDetails":[{"AssociatedName":"","HouseNumber":"123","Predirection":"","StreetName":" NAANNA SAND RD ","Suffix":"RD","Postdirection":"","SuiteName":"","SuiteRange":"","City":" GREEN","CityAbbreviation":"GREEN","State":"WY","ZipCode":"44444","Zip4":"9360","County":"Warren","CountyFips":"27","CoastalCounty":0,"Latitude":77.0999,"Longitude":-99.999,"Fulladdress1":"123 NAANNA SAND RD ","Fulladdress2":"","HighRiseDefault":false}]," WarningMessages":["This mail requires a number or Apartment number."]:[],"ErrorMessages":[],"GeoErrorMessages":[],"Succeeded":true,"ErrorMessage":null} I currently use the query below, but I’m not having any luck. This is past my skill set, please help…. index="cf" Environment="NA" msgTxt="API=/api-123BusOwnCommon/notis*" | eval msgTxt=" API=/api-123BusOwnCommon/notis /WGR97304666665/05-08-2024 CalStatus=Success Controller=InsideApi_ notis Action= notis Duration=3 data*" | rex "Duration=(?<Duration>\w+)" | timechart span=1h avg(Duration) AS avg_response by msgTxt I'd like to show the data like this in Splunk: Latitude Longitude WarningMessages 2.351 42.23 Error in blah 4.10 88.235 Hello world 454.2 50.02 Blah blah blah blah............... Thank you
... View more
03-04-2025
12:10 PM
Sorry to be a bother, but what if there is a special char like = involved. I can't add the equal sign into my search query. | eval msxxxt="*Action=GexxxxdledxxxxReport Duration=853*" | rex "Duration (<?Duration>\d+)" | timechart span=1h avg(Duration) AS avg_response by msxxxt Thanks again for your help
... View more
02-27-2025
11:04 AM
Hello, I’m trying to only pull a spefic value from the msgTxt log. In the log below, the example is 2024. This value does change and could be one digit or up to 6 digits. msgTxt = xxiskServicxxxapper - MxxeNext completed in 2024 ms. (request details: environment: Production | desired services: BusixxxsOwnexxxerritory | property type: Commercial | address: x RxxxDANx DR , xxxSHFIELD , xx 02xx0) Below is the search I'm trying to use but its not working. Any help would be apreseated. | eval msgTxt=" msgTxt: xxiskServicxxxapper - MxxeNext completed in 2024 ms. (request details: environment: Production | desired services: BusixxxsOwnexxxerritory*" | rex "in=(?<in>\w+)." | stats count by in
... View more
Labels
- Labels:
-
single value
11-07-2024
11:40 AM
Yes, I attempted to use this:
index="stuff"
(msgTxt="Request recd." OR StatusCd="400" OR msgDtlTxt="Validation err*")
| eval msgTxt=substr(msgTxt, 1, 100)
| stats
values(_time) as DateTime
values(msgTxt) as Message
values(StatusCd) as code
BY userSesnId
| eval DateTime=strftime(DateTime , "%m-%d-%Y %I:%M:%S %p")
but its returning additional logs that I do not need or its only returning one specific log such as
Request recd
I need it to gather all the logs within a single userSesnId and return only if it contains these logs (see highlighted below) and count as 1.
msgTxt="Request recd." OR StatusCd="400" OR msgDtlTxt="Validation err*")
... View more
11-07-2024
10:53 AM
Hello, We identify a fails request by gathering data from 3 different logs. I need to group by userSesnId, and if these specific logs appear in my list, it defines a certain failure. I would like to count each failure by using these logs. I would greatly appreciate your help with write this search query. I hope this makes sense.. Thank you, I would like to use the information from these logs, grouped by userSesnId Log #1: msgDtlTxt: [Qxxx] - the quote is declined. msgTxt: quote creation failed. polNbr: Qxxx Log #2 httpStatusCd: 400 Log #3 msgTxt: Request. They all share the same userSesnId userSesnId: 10e30ad92e844d So my results should look something like this: polNbr msgDtlTxt msgTxt httpStatusCd count Qxxx Validation: UWing quote creation failed 400 1
... View more
Labels
- Labels:
-
lookup
10-15-2024
08:59 AM
Sorry.... I'm going to need to combine the policyid for both logs into one. Both do not work.. Thanks again for your help.. Call out </ index=xxx appSubLvlNam="QAA" (msgTxt="Starting Controller=Full Action=GetFullReportAssessment data*" OR msgTxt="API=/api/full/reportAssessment/ CallStatus=Success*") | eval msgTxt "Starting Controller=Full Action=GetFullReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241011","postDate":"1900-01-01T12:00:00"}" | rex "\"policyId\":\"(?<policyId>\w+)\"" | table policyId > Response </ index=xxx appSubLvlNam="QAA" (msgTxt="Starting Controller=Full Action=GetFullReportAssessment data*" OR msgTxt="API=/api/full/reportAssessment/ CallStatus=Success*") | eval msgTxt "API=/api/full/reportAssessment/ CallStatus=Success Controller=full Action=GetFullReportAssessment Duration=17 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"} " | rex "\"policyId\":\"(?<policyId>\w+)\"" | table policyId >
... View more
10-15-2024
06:23 AM
</API=/api/full/reportAssessment/ CallStatus=Success Controller=Full Action=GetfullReportAssessment Duration=5 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}> </Starting Controller=Full Action=GetClueReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}/
... View more
10-15-2024
05:59 AM
Unfortunately, it didn't pick up the policy ID. It returns a blank table
... View more
10-14-2024
10:00 PM
Greetings,
Please help!!
I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t get past all of the special characters.
I’ve tried using different combinations like this:
| eval msg=”the event”
| rex "msg =(?< policyId >\w+)”
| table policyId
But what I would really like to have something like this in my dashboard:
Starting Controller Q123456789
CallStatus=Success Q123456789
Starting Controller Q123456788
CallStatus=Success Q123456788
Starting Controller Q123456787
CallStatus=Success Q123456787
And so on.
Is this possible?
Your help is always appreciated.
Thanks
Starting Controller=Fall Action=GetFallReportAssessment data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}
API=/api/Fall/reportAssessment/ CallStatus=Success Controller=Fall Action=GetFallReportAssessment Duration=27 data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}
... View more
Labels
- Labels:
-
rex
10-02-2024
10:07 AM
Hello,
I'm attempting to display a group of logs by the tranId. We log multiple user actions under a single tranId. I'm attempting to group all of the logs for a single tranId in my dashboard.
I think I figured out how I want to display the logs, but I can't get the datetime format to correctly display.
index blah blah
| eval msgTxt=substr(msgTxt, 1, 141)
| stats list(_time) as DateTime list(msgTxt) as Message list(polNbr) as QuoteId by tranId
| eval time=strftime(_time," %m-%d-%Y %I:%M:%S %p")
| streamstats count as log by tranId
| eval tranId=if(log=1,tranId,"")
| fields - log
Please help with displaying date and time format.
Thanks
... View more
Labels
- Labels:
-
transaction
07-11-2024
12:20 PM
Any suggestions would be appreciated.
In the first row I would like to show only the first 34 characters and in the second row the first list 39 characters.
I figured out how to only show a certain number of characters for all rows, but not individual rows.
| eval msgTxt=substr(msgTxt, 1, 49)
| stats count by msgTxt
... View more
- Tags:
- substr
07-11-2024
11:22 AM
Hello, I'm trying to only capture and show only the time it took for the service to complete. Shown below, is is a record that says the service completed in 1901 ms. If you could please help write a search query to identify and return records into my dashboard panel that exceed 1909 ms? So, for example, if there are 10 records that exceed 1900 ms, it will look something like this: GetRisk completed in 1909 ms GetRisk completed in 1919 ms GetRisk completed in 2001 ms GetRisk completed in 2100 ms As so on..... msgTxt returns: VeriskService - GetRisk completed in 1909 ms. (request details: environment: Production | desired services: BusinessOwnersTerritory | property type: Commercial xxxxx) Thank you
... View more
Labels
- Labels:
-
panel
11-20-2022
07:48 AM
Hello,
I would like to extract specific values from a log and display it in my Dashboard.
For example, the value is:
?QuoteId=CA10118&AgentId=12345&state=MN&Category=RetailSales
Is it possible to extract the word "AgentId=12345" and "state=MN"?
"AgentId" and "state" will always be the same. The value that follows will always change.
I would like to also display each value in a separate column
i.e.
Agent ID State
12345 MN
Any help would be appreciated.
... View more
- Tags:
- data-extraction
Labels
- Labels:
-
field extraction
10-25-2022
06:14 AM
I'm trying to combine two simular values from the same field. and rename the values.
I would like to combine /v1/product and /v1/product/ and rename it Product API
Search String:
| stats count by urlPthTxt
I did try a few different commands but didn't work. Please help.
Thanks
... View more
- Tags:
- combine values
Labels
- Labels:
-
regex
10-06-2022
02:37 PM
This worked.. Thank you!!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
