Videos

  • Add Videos
  • View All

Top Content 

1 Count failures and success via transaction

Count failures and success via transaction

Latest Activity

Michael Wilde replied to Nikita's discussion Count failures and success via transaction
"How are these transactions linked together... by a field called "ID"?  If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it.   Paste some samples and…"
18 hours ago
Linus Myrefelt updated their profile
Tuesday
Marie updated their profile
Monday
Marie is now a member of splunkninja
Monday
Welcome Them!
Profile IconJitter and matthew arguin joined splunkninja
May 18
Profile IconMatthew Carter and Nikita joined splunkninja
May 17
Nikita posted a discussion

Count failures and success via transaction

Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
May 17
1 Comment
Andrea Judy is now a member of splunkninja
May 16
Welcome Them!

How to Configure timestamps for events with multiple timestamps

I followed the directions for configuring custom timestamps for events with multiple timestamps but I am not getting the result I am looking for. Here is my props.conf in my $Splunk_home$/etc/system/local/ folder:

 

[host::foo.bar.com]
TIME_PREFIX = \w+ \d+ \d\d:\d\d:\d\d foo.bar.com\s+
TIME_FORMAT = %b %d %H:%M:%S %Y

 

Here are a couple of entries that I am dealing with:

 

Jun 14 08:18:20 foo.bar.com Mon Jun 14 08:16:25 2010: 123.123.123.12 -> 231.231.231.23: 43645 NOERR 'a.b.cdf.net.' AAAA IN (x#1)

 

Jun 14 08:18:20 foo.bar.com Mon Jun 14 08:16:25 2010: 124.124.124.12 -> 232.232.2.232: 14267 NOERR 'b.somestuff.net.' A IN (a#1) (n#4) (x#4) ANS abc.somestuff.net. A IN 213.12.213.123

 

I would like the timestamp to correspond to the time given after foo.bar.com but the timestamp is shown as the time at the beginning of each entry before foo.bar.com.

 

Any help would be appreciated.

Tags: configure, timestamps

Views: 48

Reply to This

Replies to This Discussion

Permalink Reply by Hagar on June 18, 2010 at 11:15am
Try without the TIME_FORMAT
leave only the TIME_PREFIX, my guess is that splunk will identified the format itself.
Permalink Reply by Michael Wilde on June 21, 2010 at 2:16pm
I'd go with Hagar's recommendataion. That time format is pretty easy to recognize, but your prefix should work fine.

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service