Where as I am expecting a list of Platforms and the amount of errors that are related to the platform. I have tried the latest answer and got the following result: Query 1: 22:01:10,065 ProcessFlowManager INFO processflowmgr.ProcessFlowManagerImpl - Discovery run, 2021102522011000 started with profile BD_L2_Windows [ search index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* So far I can think of the following but this still shows me the same results as in the table shown above (counts of discovery runs per platform instead of counts of platforms that have at least one error): index="myIndex" "started with profile" BD_L* I have not yet found anything similair to my question and hope anyone here can help me out. I need to find some way to return true or maybe one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. This should result in the following results: Platform | Amount Windows run has 0 errors (none found in query 2).So lets say we have the following simulation: Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. Using RUNID I can look for errors ( query two): index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* RUNID is what I need to use in a second search when looking for errors: | rex "Discovery run, (?.+) started with profile" Using the following piece of code I can extract RUNID from the events. This is a table with the amount of Discovery runs per platform: The above query will return a list of events containing the raw data above and will result in the following table. The events found from above query contains the following (raw) : Discovery run, 2021101306351355 started with profile BD_L2_Windows | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") To make things more clear I have the following search query ( query one): index="myIndex" "started with profile" BD_L* Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform. Different events from different sources from the same host. Transactions can include: Different events from the same source and the same host. A transaction type is a transaction that has been configured in nf and saved as a field. Mine performance data from AppDynamics using the Controller REST API and push. A transaction is a group of conceptually-related events that spans time. In Splunk, I am looking for logs that say "started with profile: " and retrieve the profile name from found events. Push notifications on policy violations and events from AppDynamics to Splunk. Example 1: Transactions with the same Type Example 2: Transaction command with maxevent Example 3: Calculate duration based on startwith and endwith of event.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |