I'm working on creating an order flow chart and using JointJs for the same. When an order is progressing, it passes through 4-5 application layers multiple times.
For example App A --> order passed through twice, App B --> order passed through five times etc.
While creating the flowchart, I want to show all the times order passed through via App A in single box, likewise for rest of the apps. Using stats command I created multivalues for the same and defined FROM, TO required for jointJS. But when I use multivalue its unable to render joint js diagram. But when I convert multivalue to single value, its able to load. Is there a way how i can create jointJS diagram using multivalue. Below is my whole SPL, incase if my question is not clear.
Working Single Value:
index="ccb-eai" "1-324447214042" (("SalesOrderProvisioningAcknowledgement" AND "CCB EAI SalesOrderProvisioningAcknowledgement Req" ) OR ("ACSSalesOrderProvisioning" AND "Splunk.MonitorMessage.Request") OR ("SalesOrderItemResponse" AND "Splunk.MonitorMessage.Request"))
| fields - _raw
| table _time,source,bename
| eval STATUS=case(bename=="ACSSalesOrderProvisioning","Order Received in EAI",bename=="SalesOrderProvisioningAcknowledgement","SOPA Received in EAI",bename=="SalesOrderItemResponse","SOIR Received in EAI")
| table _time,STATUS
| append
[ search index="islful" "1-324447214042" "createOrder" "REQUEST_INBOUND"
| eval STATUS="Order Received in ISLFUL"
| table _time,STATUS]
| append
[ search index="ccb-eai" "1-324447214042" bename=ACSSalesOrderProvisioning
| rex "(?i)\(?P[^<]+)"
| rex "(?i)\(?P[^<]+)"
| table _time,SubmitDate,CreateDate
| rename CreateDate as "Order Created in RCRM",SubmitDate as "Order Submitted in RCRM"
| transpose 0
| where column!="_time"
| rename "row 1" as "row" , column as "STATUS"
| eval _time=strptime(row,"%m/%d/%Y %H:%M:%S")
| fields - row]
| append
[| inputlookup kv_tcoe_order_timeline_tracker
| where like(OrderNumber,"%1-324447214042%")
| eval STATUS="Order Received in OMFUL"
| eval _time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| table _time,STATUS]
| append
[ search index=omful source=OMFUL_DB_TBL_CONTRACT* "*1-324447214042*"
| eval _time=strptime(MODIFIED_DATE,"%Y-%m-%d %H:%M:%S")
| eval STATUS="Order ".STATUS." in OMFUL"
| table _time,STATUS]
| sort _time
| eval Timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval STATUS=Timestamp."-->".STATUS
|eval FROM=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"RCRM", like(STATUS,"%Order Received in ISLFUL%"),"EAI", like(STATUS,"%Order Received in OMFUL%"),"ISLFUL", like(STATUS,"%SOPA Received in EAI%"),"ISLFUL", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"ISLFUL")
|eval TO=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"ISLFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|eval App=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|stats list(STATUS) as STATUS,list(Timestamp) as Timestamp by App
|sort - STATUS
| streamstats current=false window=1 values(STATUS) as TO
|sort STATUS
|where isnotnull(TO)
|rename STATUS as "FROM"
|fields FROM,TO,App
|eval FROM=mvjoin(FROM,",")
|eval TO=mvjoin(TO,",")
Not Working Multivalue:
index="ccb-eai" "1-324447214042" (("SalesOrderProvisioningAcknowledgement" AND "CCB EAI SalesOrderProvisioningAcknowledgement Req" ) OR ("ACSSalesOrderProvisioning" AND "Splunk.MonitorMessage.Request") OR ("SalesOrderItemResponse" AND "Splunk.MonitorMessage.Request"))
| fields - _raw
| table _time,source,bename
| eval STATUS=case(bename=="ACSSalesOrderProvisioning","Order Received in EAI",bename=="SalesOrderProvisioningAcknowledgement","SOPA Received in EAI",bename=="SalesOrderItemResponse","SOIR Received in EAI")
| table _time,STATUS
| append
[ search index="islful" "1-324447214042" "createOrder" "REQUEST_INBOUND"
| eval STATUS="Order Received in ISLFUL"
| table _time,STATUS]
| append
[ search index="ccb-eai" "1-324447214042" bename=ACSSalesOrderProvisioning
| rex "(?i)\(?P[^<]+)"
| rex "(?i)\(?P[^<]+)"
| table _time,SubmitDate,CreateDate
| rename CreateDate as "Order Created in RCRM",SubmitDate as "Order Submitted in RCRM"
| transpose 0
| where column!="_time"
| rename "row 1" as "row" , column as "STATUS"
| eval _time=strptime(row,"%m/%d/%Y %H:%M:%S")
| fields - row]
| append
[| inputlookup kv_tcoe_order_timeline_tracker
| where like(OrderNumber,"%1-324447214042%")
| eval STATUS="Order Received in OMFUL"
| eval _time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| table _time,STATUS]
| append
[ search index=omful source=OMFUL_DB_TBL_CONTRACT* "*1-324447214042*"
| eval _time=strptime(MODIFIED_DATE,"%Y-%m-%d %H:%M:%S")
| eval STATUS="Order ".STATUS." in OMFUL"
| table _time,STATUS]
| sort _time
| eval Timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval STATUS=Timestamp."-->".STATUS
|eval FROM=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"RCRM", like(STATUS,"%Order Received in ISLFUL%"),"EAI", like(STATUS,"%Order Received in OMFUL%"),"ISLFUL", like(STATUS,"%SOPA Received in EAI%"),"ISLFUL", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"ISLFUL")
|eval TO=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"ISLFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|eval App=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|stats list(STATUS) as STATUS,list(Timestamp) as Timestamp by App
|sort - STATUS
| streamstats current=false window=1 values(STATUS) as TO
|sort STATUS
|where isnotnull(TO)
|rename STATUS as "FROM"
|fields FROM,TO,App
Regards,
Chris.
↧
How to create JointJS visualization when multivalue fields needs to be joined?
↧
how to compare two search results and display only missing values in one searched result respect to other
i have two set of result which give AVC_ID and what i want is compare these two set of result and only display missing AVC_ID with respect to the each searched results.
like search result1
AVC1
AVC2
AVC3
search result 2
AVC1
AVC3
AVC4
expecting output
1. missed value in search result 1 with respect to search result 2
AVC4
2. missed value in search result 2 with respect to search result 1
AVC2
i tried below query and getting error:
search 1:
eventtype="li_specific" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |append [search eventtype="hfc" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time ] |table AVC_ID
search 2:
eventtype="ne_config" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |table AVC_ID
comparison query:
eventtype="li_specific" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |append [search eventtype="hfc" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time ] NOT ([search eventtype="ne_config" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |table AVC_ID |rename AVC_ID as "avc missing in ne config"])
error which i got while running comparison search:
: Error in 'append' command: The last argument must be a subsearch
could you please help me how to achieve this.
Thanks in Advance.
Mani
↧
↧
splunk visualization separate lines per day in a line graph
I have a query that counts events from 30 days ago to current day but I filter the results so that I am only getting the count of events for the days in those 30 days that equals the current week day. So that if today is Wednesday, I would only see the count of events for all the Wednesdays in the last 30 days. Query is below:
index=abc sourcetype=abc_proxy(Action=InteractionQueued OR Action=InteractionDequeued) earliest=-30d@d latest=now()| timechart span=1d count| eval day_of_week = lower(strftime(_time, "%A")), now = lower(strftime(now(), "%A"))| where day_of_week = now|fields - day_of_week - now
Table is kind of big because I am doing hourly breakdowns but a portion of the output looks like this:
_time count
2018-07-11T00:00 7872
2018-07-11T01:00 5741
2018-07-11T02:00 6480
2018-07-11T03:00 10198
2018-07-11T04:00 11394
2018-07-11T05:00 17033
2018-07-11T06:00 17464
2018-07-11T07:00 21961
2018-07-11T08:00 28636
2018-07-11T09:00 27801
2018-07-11T10:00 28537
2018-07-11T11:00 27996
2018-07-11T12:00 24798
2018-07-11T13:00 27681
2018-07-11T14:00 25653
2018-07-11T15:00 32204
2018-07-11T16:00 32450
2018-07-11T17:00 23217
2018-07-11T18:00 23988
2018-07-11T19:00 22152
2018-07-11T20:00 19021
2018-07-11T21:00 19446
My problem now is with the visualization. Right now I get one continuous line for all the week days that match current weekday. I would like to have a line graph where each day is a separate line in the graph and where each line has an hourly granularity.
I wish I could attach images but I don't have enough points. BUt basically whatever the output is of the query, switch to visualization tab and select line graph.
Thanks in advance
↧
fetch dynamic data to splunk
hello, i have a database in that some tables are there. that tables data is updated daily with new values. so how can i link this to splunk so that entire data should come to splunk and the data update reflect in splunk directly.
↧
data validation Lookups
Hi Team,
I am new to splunk. and need help in validating data in a lookup
I have lookup and the data is like below
ci_list_lookup
sys_id name class_name
**xyz** Anil H
**abc** Anthony B
def **abc** ci
lmn nirav H
pqr **xyz** ci
Here the name column contains sys_id values. which I dont want
I want to create a lookup which looks like below
sys_id name class_name
xyz Anil H
abc Anthony B
def Anthony ci
lmn nirav H
pqr Anil ci
I tried using joins, Self joins but didn't work.
Please help me in getting the above output
↧
↧
Changing the reports permission is taking long time and failing due to time outs
Hi,
We have installed splunk on one of our virtual machine. The splunk URL is accessible locally(from laptop/desktop) as well as within the virtual machine. The issue I am having here is when I access the URL locally, create a report and save it , it is faster whereas when I try to edit the permission for the same it fails with time out error. However when the same thing is done from the virtual machine, there is no issue. Moreover the version I installed is 7.1.2 . For the other version that I have i.e. 6.5.1, there is no similar issue. Can someone guide me on this? Is this a bug with the new version?
Thanks & Regards,
Sushma.
↧
DBConnect Sybase: Connect error: no protocol
Hello Everyone
I am setting up database monitoring using DBconnect, it worked well for MSSQL, Oracle, DB2 however Sybase is not giving up. I am getting the following error:
Connect error: no protocol: :myip:myport/databasename
In drivers section, it got recognised correctly as version 7.0. Any ideas on the issue? I am able to telnet to the host:port so no network issues there.
↧
Changing the reports permission is taking long time and failing due to time outs
Hi,
We have installed splunk on one of our virtual machine. The splunk URL is accessible locally(from laptop/desktop) as well as within the virtual machine. The issue I am having here is when I access the URL locally, create a report and save it , it is faster whereas when I try to edit the permission for the same it fails with time out error. However when the same thing is done from the virtual machine, there is no issue. Moreover the version I installed is 7.1.2 . For the other version that I have i.e. 6.5.1, there is no similar issue. Can someone guide me on this? Is this a bug with the new version?
Thanks & Regards,
Sushma.
↧
How to change the instance and machine name without getting authentication errors on Monitoring Console?
Hi,
I have a Splunk server that acts as a Monitoring Console for my indexer. I wanted to change the server name of the server with the Monitoring Console, both in inputs.conf and server.conf. After I did so and restarted the instance it will no longer connect to my indexer over REST, and thus information in the Monitoring Console is missing. The error I'm getting is that the authentication token is wrong.
Is there a way of changing the server name on my Monitoring Console without getting authentication errors?
↧
↧
How to rewrite this query to get percentage at each range
index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
The above query gives me in below format
Date | 0-0.5s | 0.5s-1s | 1s-3s | 3s-6s | 6s-10s | 10s-30s
08/08/2018 | 100 | 20 | 50 | 56 | 70 |20
I would like to represent this count in terms of Percentage. How do i do the calculation ? Please let me know
↧
Required information about App compatibility
Cisco Security Suite & Splunk for Cisco ISE add-on is not compatible with Splunk version 7.1.x Please let us know what will be the estimate time for releasing of compatible versions of these apps.
↧
Build a custom visualization issue
hi team,
i use "Build a custom visualization" tutorial in http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizTutorial#Build_the_app .
I got no my custom radial_meter visualization in my search and reporting app, althouth all instructions have been made correctly.
where should i check ?
↧
Get list of VM's from splunk
Is there a way to get the list of VM's which is forwarding data to the Splunk ?
↧
↧
Splunk addon builder - How Create Input which shows list of index?
Hello,
I have a requirement in new app being build using add-on builder create a input parameter called choose index. This parameter should show the list of avalable indexes from which an user selects one index.
I don't see this option in Splunk Add-on builder helper functions. However, Splunk doc does show such option in a picture just above the section called **Pass values from data input parameters**
https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/ConfigureDataCollectionAdvanced
Another pic from an add-on which have this feature
![alt text][1]
[1]: /storage/temp/255661-2018-08-09-182101.png
Can anyone help me on this please>
↧
Compare two table searchers and combine to single table (where condition)
Hi,
Got two different searches result in to corresponding table format, want to achieve something like "select b.column1, b.column2 from table a, table b where a.column1 = b.column1" in single search.
Table 'a' contain a single column named TransactionID where table 'b' contain two columns named TransactionID , Errors
Search 1 : index=app source=*.log "FATAL" | rex "some value (?.+) somemore" | table TID
Search 2 : index=app source=*.log "ERROR_TEXT" | rex "some value (?.+) somemore" | rex field=_raw "some txt (?.+)" | table TID, ErrorText
Required output like "select b.column1, b.column2 from table a, table b where a.column1 = b.column1" in single search.
↧
No inventory data from vCenter. Perf data working and both inv and perf working on all other vCenters
Hello!
I have 8 vCenters and it seems that one of them is not receiving any inventory data. The other 7 have no problems at all. The offending vCenter provides perf data.
![alt text][1]
I have doubled or tripled the interval and expiration for collection, e.g. cluster inv: Interval: 1800, Expiration: 1800 but has done nothing for this one vCenter.
The only error I see in the logs is this, reoccuring over and over again:
2018-08-09 08:04:29,712 ERROR [ta_vmware_collection_worker://delta:100130] Server raised fault: 'The object 'vmodl.query.PropertyCollector:session[52311025-1eca-6e39-10c3-fd37ee67f239]521e85a3-8f6f-8d24-72de-30900a54b405' has already been deleted or has not been completely created' Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_vmware/bin/inventory_handlers.py", line 507, in run last_version, hierarchyCollector, target_config_object, mor = inventory.CreateHierarchyCollector(managedObjectReference=last_mor, version=last_version, updateType="recycle", targetConfigObject="ResourcePool") File "/opt/splunk/etc/apps/Splunk_TA_vmware/bin/vim25/inventory.py", line 397, in CreateHierarchyCollector raise e WebFault: Server raised fault: 'The object 'vmodl.query.PropertyCollector:session[52311025-1eca-6e39-10c3-fd37ee67f239]521e85a3-8f6f-8d24-72de-30900a54b405' has already been deleted or has not been completely created'
[1]: /storage/temp/255663-capture.png
↧
Can we forward a specific table of a DB to splunk
Is it possible to forward specific tables of a DB to Splunk. I understand that we can push the complete DB and create a dashboard to see the data we wish to. But I am more interested in understanding if we can just feed a table to the forwarder?
Many thanks in advance
↧
↧
Replication Factor with N+1 indexer
Hello,
I would like to know what was the workflow of the current situation.
We have setup the replication factor number to 3 and deployed a cluster of 5 indexers. Where are stored the data ? Is like the process of a RAID 5 or something else.
Could i lose 2 servers and still guarantee our data integrity ?
Thank you
↧
Multiline field in modular input getting newline removed while indexed
I am creating a modular input. My input is a CSV and I convert it to JSON to be imported as a new event in Splunk. Several of the fields have newlines in the data. However, once indexed the newlines are removed. Here is the code that does it:
csvdata = [row for row in csv.reader(data.splitlines())]
header = csvdata.pop(0)
for row in csvdata:
e = {}
for col, val in zip( header, row ):
col = col.replace( " ", "_" )
e[col] = val
event_time = calendar.timegm(time.strptime(e["timefield"], time_pattern))
event = helper.new_event(data=json.dumps(e), time=event_time, index=index, unbroken=True)
ew.write_event(event)
One thing I've tried is adding the SHOULD_LINEMERGE=0 to props.conf which didn't work. Is there a way to tell Splunk not to remove the newlines from fields?
Thanks!
↧
Using HTML to execute a cURL command
Hello all,
My ultimate goal is to have a button (or buttons) on a Splunk dashboard which will inform other users when they have left their desk.
my current method is to add a clickable button using HTML on a HTML converted dashboard which will execute a cURL command. The cURL command is used to send data via the HTTP Event Collector to an index which would have the latest status of each user. I am able to execute the cURL command just fine with what I have below in the CLI:
`curl -k https://:8088/services/collector -H 'Authorization: Splunk ' -d '{"sourcetype": "cURL", "event":"name=JOHN location=WEST status=OUT"}'`
I've attempted to convert the cURL command to an HTML form for the dashboard but what I'm using doesn't pass the HEC token properly:
When using the above HTML, I get the following error:
`{"text":"Token is required","code":2}`
Any guidance on how to pass the HEC token or a more efficient method would be greatly appreciated.
↧