Videos

  • Add Videos
  • View All

Top Content 

1 Count failures and success via transaction

Count failures and success via transaction

Latest Activity

Michael Wilde replied to Nikita's discussion Count failures and success via transaction
"How are these transactions linked together... by a field called "ID"?  If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it.   Paste some samples and…"
17 hours ago
Linus Myrefelt updated their profile
Tuesday
Marie updated their profile
Monday
Marie is now a member of splunkninja
Monday
Welcome Them!
Profile IconJitter and matthew arguin joined splunkninja
May 18
Profile IconMatthew Carter and Nikita joined splunkninja
May 17
Nikita posted a discussion

Count failures and success via transaction

Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
May 17
1 Comment
Andrea Judy is now a member of splunkninja
May 16
Welcome Them!

fschange - change detection criteria

Hi All,

How to only send the full event in case of user/group or hash change but not time change of file in the scope of fschange?
As example:
[fschange:/etc/config.cfg]
fullEvent=true
sendEventMaxSize=-1
Now every time the file is touched, even without change, the complete content of the file is indexed.
In other words how to configure the [fschange] not to send ‘fullEvent’ in case of modtime change alone.

Thank you.
BR,
Stefan

Views: 95

Reply to This

Replies to This Discussion

Permalink Reply by Michael Wilde on January 11, 2010 at 4:50pm
Stefan..

What is happening to the file? Is someone opening the file and saving it, so the modtime's getting updated? Or is someone just reading the file?

Also.. which OS is it on?
Permalink Reply by Stefan Baryakov on January 12, 2010 at 6:03am
Hi Michael,

Thanks for the response. The file is just being touched, as open and saved without being changed.
The hash in splunk desn't change however the complete file is indexed. When the files are really changed the hash changes and the file is indexed again.
My objective is to have the files indexed only when there is change in the content (hash)
The OS is AIX.

Regards,
Stefan

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service