Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Punnu
Punnu
Path Finder
Member since:
03-13-2025
yesterday
Community Statistics
| Posts | 27 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 03-13-2025 |
Activity Feed
- Posted Re: Same query is giving diff count in dashboard panel and search on Dashboards & Visualizations. 3 hours ago
- Posted Same query is giving diff count in dashboard panel and search on Dashboards & Visualizations. yesterday
- Tagged Same query is giving diff count in dashboard panel and search on Dashboards & Visualizations. yesterday
- Posted How to pivot data on Splunk Search. Thursday
- Tagged How to pivot data on Splunk Search. Thursday
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. Wednesday
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. a month ago
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. a month ago
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. a month ago
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. a month ago
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. a month ago
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-06-2025 09:24 AM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-06-2025 09:14 AM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-06-2025 08:54 AM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-06-2025 07:00 AM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-06-2025 05:39 AM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-06-2025 05:13 AM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-05-2025 07:17 PM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-05-2025 06:17 PM
- Posted Re: How to use 2 different query in dashboard and hide few columns on Dashboards & Visualizations. 04-05-2025 08:42 AM
3 hours ago
Hello @bowesmana Yes outer query is for 1 hr and inner is for 5 hrs . Are u saying these two in separate panel and use result of these in third one and append it ?
... View more
yesterday
Hello All , I am running one query and exactly sme query I am trying to run from search but I am getting diff counts . ```query for apigateway call```
index=aws_np earliest=1746540480 latest=1746544140 Method response body : sourcetype="aws:apigateway"
| rex field=_raw "Method response body : (?<json>[^$]+)"
| spath input=json path="header.messageID " output=messageID
| spath input=json path="payload.statusType.code" output=status
| spath input=json path="payload.statusType.text" output=text
| spath input=json path="header.action" output=action
| where status=200
| rename _time as request_time
```dedupe is added to remove duplicates ```
| dedup messageID
| append
[ search index="aws_np" earliest=1746540480 latest=1746558480
| rex field=_raw "messageID \": String\(\"(?<messageID >[^\"]+)"
| rex field=_raw "source\": String\(\"(?<source>[^\"]+)"
| rex field=_raw "type\": String\(\"(?<type>[^\"]+)"
| rex field=_raw "detail-type\": String\(\"(?<detail_type>[^\"]+)"
| where source="XXX" and type="XXXXX" and detail_type="XXXX"
| stats distinct_count( messageID ) as cnt_guid by messageID ,_time ``` by time is added because we are duplicate records of same time and guid ```
| stats count(cnt_guid) as published_count by messageID
| dedup messageID
| fields messageID , published_count
]
| stats values(action) as request_type sum(published_count) as published_count2 by messageID
| where isnotnull(request_type)
| eventstats sum(published_count2) by request_type| dedup request_type
| search request_type="Create" OR request_type="Update"
| head 2
| fields sum(published_count2) request_type So I ran query from dashboard panel and then used RUN Search option to run it direclty but I am getting diff count . Search is giving correct result . Dashboard is giving less
... View more
- Tags:
- search
Labels
- Labels:
-
Classic dashboard
Thursday
I have data like this id time Conatcts x1 4/22/2011 10:00 676689 x1 4/23/2011 11:00 I want it like as shown below : Lw_mesage time is time when conatctid column is null and other when conatcid column has value id lw_message_time standardised message x1 4/23/2011 10:00 4/23/2011 11:00
... View more
- Tags:
- search
Wednesday
I got solution of this by following what is mentioned in https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367124#M108287
... View more
a month ago
Hello @PickleRick ,even simple search is failing . I tried keeping it in [] also ,still erroring out
... View more
a month ago
Hi @ITWhisperer , I will try to find out this with our Splunk enterprise team . But if that is true, this should also happen in this case also where space between date and hrs is replaces by : then it is running fine but I am not sure if it running correct timings which I mean is 12-March-2025 to 13-march-2025
... View more
a month ago
Hi @ITWhisperer , I am observing one thing when I am changing to following format , instead of space giving : (highlighted in red ) , then it is running but not getting values of earliest, latest. Not sure is this correct way to display values . index=aws_np [| makeresults | eval earliest=strptime("12/03/2025:13:00","%d/%m/%Y %H:%M") | eval latest=relative_time(earliest,"+1d") | table earliest, latest] | table earliest, latest
... View more
a month ago
04-06-2025
09:24 AM
Could there a possibility this playing any role is error
... View more
04-06-2025
09:14 AM
index="aws_np" [| makeresults
| eval earliest=strptime("12/03/2025 13:00","%d/%m/%Y %H:%M")
| eval latest=relative_time(earliest,"+1d")
| table earliest latest] Even bare minimum when I am running I am getting this issue . Am I really making some trivial mistake . Could there a possibility that last 24 hours which got selected playing any role for error
... View more
04-06-2025
07:00 AM
index="aws_np" [| makeresults
| eval earliest=strptime("12/03/2025 13:00","%d/%m/%Y %H:%M")
| eval latest=relative_time(earliest,"+1d")
| table earliest latest]
| rex field=_raw "messageGUID\": String\(\"(?<messageGUID>[^\"]+)"
| rex field=_raw "source\": String\(\"(?<source>[^\"]+)"
| rex field=_raw "type\": String\(\"(?<type>[^\"]+)"
| rex field=_raw "addBy\": String\(\"(?<addBy>[^\"]+)"
| where type="Contact"
| stats count by source I tried exactly same way , Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
... View more
04-06-2025
05:39 AM
But when I am running this I am getting Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
... View more
04-06-2025
05:13 AM
Hello @ITWhisperer , First of all thanks for spending time on it .I am trying running simple query ( not subsearch ) as follows still it is not running . Basically I am trying to understand how do we calculate any parameter value while query runs . index="aws_np" earliest="12/03/2025:13:00" latest=[| makeresults
| eval earliest=strptime("12/03/2025 13:00","%d/%m/%Y %H:%M")
| eval latest=relative_time(earliest,"+1d")
| table latest]
| rex field=_raw "messageGUID\": String\(\"(?<messageGUID>[^\"]+)"
| rex field=_raw "source\": String\(\"(?<source>[^\"]+)"
| where type="Contact"
| stats count by source Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side: (latest = "1741885200.000000"). how can I solve this
... View more
04-05-2025
07:17 PM
Also I tried it like [ search index="aws_np" [| makeresults
| eval earliest=strptime("12/03/2025","%d/%m/%Y")
| eval latest=relative_time(earliest,"+1d")
| table earliest latest] host="test" app_environment=qa
| rex field=_raw "messageGUID\": String\(\"(?<messageGUID>[^\"]+)" but getting below error : Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
... View more
04-05-2025
06:17 PM
Hello @ITWhisperer | eval latest_time=strptime("03/12/2025:12:30:00", "%m/%d/%Y:%H:%M:%S")
| eval new_latest_time=(latest_time + 18000) ``` 18000 seconds = 5 hrs ```
| eval new_latest_time_str=strftime(new_latest_time, "%m/%d/%Y:%H:%M:%S")
| append
```query for event brigdel```
[ search index="aws_np" earliest="03/12/2025:12:30:00" latest=$new_latest_time_str$ host="EventConsumer-mdm I tried writing it as above ( query is not complete ). Just wanted to share I tried evaluating values and then trying using within sub search but it is giving following error : Invalid value "$new_latest_time_str$" for time term 'latest'
... View more
04-05-2025
08:42 AM
hi @ITWhisperer , based on date provided in main search lets say 12/mar/2025 1pm - 12/mar/2025 1:30 PM , I wan to use 12/mar/2025 only date in second one
... View more
04-05-2025
07:15 AM
Hello @PickleRick , Thanks for pointing out issues , I will check my query and see how can I optimize it . Logging is not perfect that why I have to take this route . I will check and see how can I make it better . Also I am looking for one guid . That part is commented. I am looking for whole set
... View more
04-05-2025
03:57 AM
Hello @ITWhisperer how can override time of appended search
... View more
04-04-2025
07:31 PM
Hi All, I have created one query and it is working fine in search. I am sharing part of code from dashboard. In first part of call if you see I have hardcoded by earliest and latest time . But i want to pass those as input values by selecting input time provided on dashboard and then remaining part of query I want to run for whole day or lets say another time range . becuse it is possible that request i have received during mentioned time might get process later at dayy.How can I achieve this . Also I want to hide few columns at end like message guid , request time and output time . <panel>
<table>
<title>Contact -Timings</title>
<search>
<query>```query for apigateway call```
index=aws* earliest="03/28/2025:13:30:00" latest="03/28/2025:14:35:00"
Method response body after transformations: sourcetype="aws:apigateway"
| rex field=_raw "Method response body after transformations: (?<json>[^$]+)"
| spath input=json path="header.messageGUID" output=messageGUID
| spath input=json path="payload.statusType.code" output=status
| spath input=json path="payload.statusType.text" output=text
| spath input=json path="header.action" output=action
| where status=200 and action="Create"
| rename _time as request_time
```dedupe is added to remove duplicates ```
| dedup messageGUID
| append
```query for event brigdel```
[ search index="aws_np"
| rex field=_raw "messageGUID\": String\(\"(?<messageGUID>[^\"]+)"
| rex field=_raw "source\": String\(\"(?<source>[^\"]+)"
| rex field=_raw "type\": String\(\"(?<type>[^\"]+)"
| where source="MDM" and type="Contact" ```and messageGUID="0461870f-ee8a-96cd-3db6-1ca1f6dbeb30"```
| rename _time as output_time | dedup messageGUID
]
| stats values(request_time) as request_time values(output_time) as output_time by messageGUID
| where isnotnull(output_time) and isnotnull(request_time)
| eval timeTaken=(output_time-request_time)/60| convert ctime(output_time)| convert ctime(request_time)
| eventstats avg(timeTaken) min(timeTaken) max(timeTaken) count(messageGUID)
| head 1</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
... View more
Labels
- Labels:
-
Classic dashboard
-
panel
04-03-2025
03:35 AM
hi @livehybrid Thank you for reply . I would like to ask one more question . Post filtering out records how we can find count of messageID
... View more
04-02-2025
07:30 PM
I have two searches and I only want to find rows which has common MessageID . Currently it is returning extra row because of second search . Query before Or is returning 100 records and after OR one was returning 110 rows and for those extra 10 rows messageID in first is NULL , So I want to drop those messages . Please help how can i change this query to make it work . I am trying to find count of matched IDs and list of all such ids ```query for apigateway call```
(index=aws_np earliest="03/28/2025:13:30:00" latest="03/28/2025:14:35:00" Method response body after transformations: sourcetype="aws:apigateway" business_unit=XX aws_account_alias
="XXXX" network_environment=xxXXX source="API-Gateway-Execution-Logs*" (application="xXXXXX" OR application="xXXXX-xXX")
| rex field=_raw "Method response body after transformations: (?<json>[^$]+)"
| spath input=json path="header.messageID" output=messageID
| spath input=json path="payload.statusType.code" output=status
| spath input=json path="payload.statusType.text" output=text
| spath input=json path="header.action" output=action
| where status=200 and action="Create" `
| rename _time as request_time
| table messageID, request_time)
| append
```query for 2nd query call```
[ search kubernetes_cluster="eks-XXX*" index="aws_XXX" sourcetype = "kubernetes_logs" source = *XXXX* "sendData"
| rex field=_raw "sendData: (?<json>[^$]+)"
| spath input=json path="header.messageID" output=messageID
| rename _time as pubsub_time
| table messageID, pubsub_time
] | stats values(request_time) as request_time values(pubsub_time) as pubsub_time by messageID
... View more
- Tags:
- append
03-31-2025
06:37 AM
@bowesmana , Thanks for sharing one way of doing it . I did some changes and trying to get result it is returning it in epoch form ( that value is coming from outer _time) because when I am again converting it to readable format it is getting converted to request_time . index=aws_XXX Method response body after transformations: sourcetype="aws:apigateway" business_unit=XX aws_account_alias="XXXXX" network_environment=qa source="API-Gateway-Execution-Logs*" (application="XXX" OR application="XXXX") | rex field=_raw "Method response body after transformations: (?<json>[^$]+)" | spath input=json path="header.messageGUID" output=messageGUID | spath input=json path="payload.statusType.code" output=status | spath input=json path="payload.statusType.text" output=text
| where status=200 and messageGUID="af2ee9ec-9b02-f163-718a-260e83a877f0"
| rename _time as request_time | fieldformat request_time=strftime(request_time, "%F %T")
| table messageGUID,request_time
| join type=inner messageGUID [ search kubernetes_cluster="XXXX*" index="aws_xXXX" sourcetype = "kubernetes_logs" source = *XXXX* | rex field=_raw "sendData: (?<json>[^$]+)"
| spath input=json path="header.messageGUID" output=messageGUID
| where messageGUID="af2ee9ec-9b02-f163-718a-260e83a877f0"
| rename _time as pubsub_time | fieldformat pubsub_time=strftime(pubsub_time, "%F %T")
| table messageGUID, pubsub_time ]
|table messageGUID, request_time, pubsub_time kubernetes_cluster="eks-XXXX" index="aws_XXXX" sourcetype = "kubernetes_logs" source = *da_XXXXX* " "sendData" | rex field=_raw "sendData: (?<json>[^$]+)"
| spath input=json path="header.messageGUID" output=messageGUID
| where messageGUID="af2ee9ec-9b02-f163-718a-260e83a877f0"
| rename _time as pubsub_time | fieldformat pubsub_time=strftime(pubsub_time, "%F %T")
| table messageGUID, pubsub_time When I am running inner search value I am getting Also I would like to understand option you have provided ,can I run it for multiple dataset ?
... View more
03-30-2025
04:31 PM
index=aws* Method response body after transformations: sourcetype="aws:apigateway" business_unit=XX aws_account_alias="xXXX" network_environment=test source="API-Gateway-Execution-Logs*" | rex field=_raw "Method response body after transformations: (?<json>[^$]+)" | spath input=json path="header.messageGUID" output=messageGUID | spath input=json path="payload.statusType.code" output=status | spath input=json path="payload.statusType.text" output=text
| where status=200
| rename _time as request_time | fieldformat request_time=strftime(request_time, "%F %T")
| join type=inner messageGUID [ search kubernetes_cluster="eks-XXXXX*" index="awsXXXX" sourcetype = "kubernetes_logs" source = *XXXX* "sendData" | rex field=_raw "sendData: (?<json>[^$]+)"
| spath input=json path="header.messageGUID" output=messageGUID
| table messageGUID, _time ]
|table messageGUID, request_time, _time _time is coming as Null as output Also how can I rename this field also ?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
