"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
How do I recognize a time in epoch seconds?
Total newbie here.
I have a data file (a few lines here):
1280718483,204.28.227.23:53;5;5.49;13;2183;2183;0;0;0-2103;2-0;3-48;5-32;15-0;*-0;2183;0;0;0;0
1280718543,204.28.227.23:53;5;5.75;6;16;16;0;0;0-16;2-0;3-0;5-0;15-0;*-0;16;0;0;0;0
1280804716,204.28.227.23:53;4;6.74;77;2412;2412;0;0;0-2332;2-0;3-48;5-32;15-0;*-0;2410;2;0;0;0
1280804776,204.28.227.23:53;5;5.57;14;2391;2391;0;0;0-2343;2-0;3-0;5-48;15-0;*-0;2391;0;0;0;0
The actual file has 500+ lines (events?) going back several months.
The first number in each line (e.g.128071848) is the date in seconds since the epoch.
How can I get splunk (using 4.1.5) to recognize this as the date?
The file is called "tns-stats-0.log.0" located in /home/lis/log/lis and I have the following in etc/system/local/props.conf.
[source::.../lis/tns-stats-0.log.0]
TIME_FORMAT=%s
which is supposed to, from what I can gather, treat the format as seconds since epoch.
Yet, splunk insists on assigning all of the events the time associated with the file itself.
Someone please tell me what I'm missing here so I can get this to work.
Views: 41
Replies to This Discussion
-
Permalink Reply by Bill Selig on -
With help from discussion on "splunk answers" and LOST of trial/error it appears that you to have to use sourcetype and not just [source::] in etc/system/local/props.conf:
[tns-stats]
TIME_FORMAT=%s
AND, then you have to define the sourcetype in /etc/apps/search/inputs.conf:
[monitor:///home/lis/log/lis/tns-stats-0.log.0]
sourcetype = tns-stats
which seems a bit odd to me since I thought the global spec would be seen before the app level spec, but then what do I know. However, I think it would be very informative to KNOW why this was necessary and why just modifying the system/local/props.conf didn't work. Perhaps someone with deeper knowledge could shed some light on that.
Anyway, this now works.
© 2012 Created by Michael Wilde.
