About shenoyveer

shenoyveer

Hi @ITWhisperer , I am getting same events which has "slot" messages events: {"priority":6,"sequence":4704,"sec":695048,"usec":639227,"msg":"hv_netvsc 54243fd-13dc-6043-bddd-13dc6045bddd eth0: VF slot 1 added {"priority":6,"sequence":4698,"sec":695037,"usec":497286,"msg":"hv_netvsc 54243fd-13dc-6043-bddd-13dc6045bddd eth0: VF slot 1 removed query used : index="index1" | search "slot" | rex field=msg "(?<action>added|removed)"| eval added_time=if(action="added",strftime(_time, "%H:%M:%S"),null())| eval removed_time=if(action="removed",strftime(_time, "%H:%M:%S"),null())| sort 0 _time| streamstats max(added_time) as added_time latest(removed_time) as removed_time by host, slot| eval added_epoch=strptime(added_time, "%H:%M:%S")| eval removed_epoch=strptime(removed_time, "%H:%M:%S")| eval downtime=if(isnotnull(added_epoch) AND isnotnull(removed_epoch), removed_epoch - added_epoch, 0) here I tried converting time to hour:min:sec and later into epoch to get the difference in seconds but its not working and downtime is always showing 0

shenoyveer

I have tried this in following way index="index1" | search "slot" | rex field=msg "(?<action>added|removed)" | eval added_time=if(action="added",strftime(_time, "%H:%M:%S"),null()) | eval removed_time=if(action="removed",strftime(_time, "%H:%M:%S"),null()) | sort 0 _time | streamstats max(added_time) as added_time latest(removed_time) as removed_time by host slot | eval downtime=if(isnotnull(added_time) AND isnotnull(removed_time), strptime(removed_time, "%H:%M:%S") - strptime(added_time, "%H:%M:%S"), 0) but the issue is, downtime is not getting calculated and its printing 0 always. need help in fixing this.

shenoyveer

Thanks @ITWhisperer for the reply. the downtime field is not getting populated only. I tried converting it to epoch time and still same. can you please look into it once?

shenoyveer

when running index="index1" | search "slot" its giving below events. which has time, hostname as well. events: {"priority":6,"sequence":4704,"sec":695048,"usec":639227,"msg":"hv_netvsc 54243fd-13dc-6043-bddd-13dc6045bddd eth0: VF slot 1 added\n SUBSYSTEM=vmbus\n DEVICE=+vmbus:54243fd-13dc-6045-bddd-13dc6045bdda"} {"priority":6,"sequence":4698,"sec":695037,"usec":497286,"msg":"hv_netvsc 54243fd-13dc-6043-bddd-13dc6045bddd eth0: VF slot 1 removed\n SUBSYSTEM=vmbus\n DEVICE=+vmbus:54243fd-13dc-6045-bddd-13dc6045bdda"} my requirement is I need a difference of time between message removed and added for the particular day. i.e It should not add previous events.

shenoyveer

I am not getting it. you want me to share dashboard output?

shenoyveer

with the current query it is calculating the downtime between the slot removed and added but the real problem is, its calculating previous downtime and adding the time and making it as single event. my point is, I need the seperate events for every downtime in servers so looking for dashboard which should show hostname, date, slot and the downtime

shenoyveer

shenoyveer

Hi @ITWhisperer , Thanks for the reply . Let me explain you my exact requirement. Here I am trying to create a dashboard of visualizing and calculating downtime in VMs I manage. I am trying to calculate based on log messages that are sending to splunk from servers. Logs will have messages like <timestamp> <nic-card-id> slot 1 removed <timestamp> <nic-card-id> slot 3 added I am calculating difference between 2 timestamps as a downtime and visualizing it. Output dashboard I am expecting Hostname, date , slot and the difference in time(downtime) Current query is calculating the difference, but its adding previous downtime as well. my query is, I want it to show the downtime in host on 2 different dates instead of adding it. Can you please help me with tihs?

shenoyveer

Hi @ITWhisperer , I found your answer really helpful other day. now I am facing one small issue in it. The query is adding the time(number of seconds) of previous occurrences in dashboard. my requirement is, query should show the host name with date and number of seconds of downtime on that particular date. current query is: index="index1" |search "slot" | rex field=msg "VF\s+slot\s+(?<slot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as downtime by host,slot_number here basically I am calculating network card slot downtime which occured in servers with number of seconds can you please help me with modifying the query?

shenoyveer

Thanks Kiran 🙂

shenoyveer

is there any alternative to timechart? I want to have particular date in x axis

shenoyveer

Tried with another query too index="testing" | eval date=strftime(_time, "%Y-%m-%d") | stats count by date, host but still its not showing hostname in dashboard

shenoyveer

Hi Kiran, Thanks for the prompt reply. Its not working for me and after removing eval no data popping up. my goad is to get the hostname while hovering the host_count variable from query

shenoyveer

Hi Everyone, I am trying to create one dashboard out of search query but I am getting stuck where I am unable to the host details in the dashboard. query is - index="vm-details" | eval date=strftime(_time, "%Y-%m-%d") | stats dc(host) as host_count, values(host) as hosts by date | sort date I am getting host_count and date in dashboard but my requirement is I need hostname should come while hovering host_count I tried using values(host) directly but that didnt work. can someone help? CC: @ITWhisperer Thanks, Veeresh Shenoy S

shenoyveer · ‎12-11-2024

Hi @ITWhisperer , I need small tweak in same query. I am trying to filter the same data but it should give only data which shouldn't have "hv_vmbus" pattern in same day

shenoyveer · ‎11-04-2024

Thank you @ITWhisperer for quick solution. Its working for me and doing some more tweaks in it.

shenoyveer · ‎11-03-2024

Hi All, I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs. I have sent kernel logs to splunk based on some pattern. Now I have a issue for filtering those values in splunk. Here the requirement is, I need to filter the data only if one "string" has appeared in logs on same day. example: I have following logs in splunk date1: hv_vmbus: registering driver hv_netvsc date1:hv_netvsc 000d3 eth0: VF dot 1 added date1:hv_netvsc 000d3 eth0: VF dot 2 added date1:hv_netvsc 000d3 eth0: VF dot 2 removed date1:hv_netvsc 000d3 eth0: VF dot 1 removed date2:hv_netvsc 000d3 eth0: VF dot 1 added date2:hv_netvsc 000d3 eth0: VF dot 2 added date2:hv_netvsc 000d3 eth0: VF dot 2 removed date2:hv_netvsc 000d3 eth0: VF dot 1 removed I need to fetch the data for "dot" only if "hv_vmbus" pattern occured on same date. here I need only data in date1 I tried following query but it isn't working for me. "index="index0" | search "dot" | rex field=msg "VF\s+dot\s+(?<dot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as n1 by host,dum_number" Requesting help for achieving this requirement. Thanks, Veeresh Shenoy

shenoyveer · ‎09-16-2024

I got the query that we need to use dedup thanks anyway.

shenoyveer · ‎09-16-2024

This query worked but I have found one issue that its taking duplicate values in dashboard if we run it again is there any way that we can avoid old value if we run multiple times in lesser time?

shenoyveer · ‎09-13-2024

Thank you soo much @ITWhisperer this worked for me 🙂

shenoyveer · ‎09-12-2024

Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it. example: {"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries. my dashboard should look like, repos count active count new-repo 2 yes 17 new-repo-2 30 no 10 new-one-3 15 yes 0 old-repo 10 yes 23 my-repo 10 no 15 I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard. can someone help? Thanks, Veeresh Shenoy

Posts	21
Solutions	1
Karma Given	5
Karma Received	0
Member Since	‎09-12-2024

Online Status	Offline
Date Last Visited	a week ago

Unable to visualize the dashboard as per the requi...

Filtering logs for a string only based on date

Creating dashboard with 4 columns

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Re: Unable to visualize the dashboard as per the r...

Re: Unable to visualize the dashboard as per the r...

Re: Unable to visualize the dashboard as per the r...

Re: Unable to visualize the dashboard as per the r...

Unable to visualize the dashboard as per the requi...

Re: Filtering logs for a string only based on date

Re: Filtering logs for a string only based on date

Filtering logs for a string only based on date

Re: Creating dashboard with 4 columns

Re: Creating dashboard with 4 columns

Re: Creating dashboard with 4 columns

Creating dashboard with 4 columns