"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Need help with scripted input for remote network device
I want to index result of command on remote network device. I understand that App "splunk for unix" can index result of statistics command such as "top", "ps" ,"vmstat". This App is useful when I index result of the command on the localhost, not remote server. My current target network device can not be installed as splunk forwarder either, so I am looking for the method to achieve my purpose.
I developed a script which log in the remote network device and execute a certain command. When I use this as scripted input on splunk indexer, splunk index all the operation including login process although I just want to index the result of specified command.
I would appreciate if anybody share with me solution for this.
I developed a script which log in the remote network device and execute a certain command. When I use this as scripted input on splunk indexer, splunk index all the operation including login process although I just want to index the result of specified command.
I would appreciate if anybody share with me solution for this.
Views: 66
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
Takamasa...
Can you give me a sample of the whole output that splunk is indexing... if you have control over the output, there are some "header commands" you can insert into the script to control how indexing happens...
More details, more answers!
-
Permalink Reply by Takamasa Sasaki on -
Thank you for prompt reply. Please let me explain what I am doing. There are three steps to index result of a command on the remote network device.
1. Splunk execute following shell script every 300 seconds as scripted input.
#!/bin/bash
#
/usr/bin/expect $SPLUNK_HOME/etc/apps/search/bin/sample-expect 172.16.xx.xx yyyy zzzz
2. Then, the expect script "sample-expect" is executed.
Please note that I am using "expect" in order to log in remote network device and execute specified command on the device. In the expect shell, I am using "puts $expect_out(buffer)" in order to output the result of specified command and index them by splunk.
3. Following is the whole output that splunk indexed.
I do not need first two lines and last line that is command prompt. What I want to do is to avoid indexing these lines.
##################################################################
show arp table
Ethernet-switching table: 514 entries, 500 learned
VLAN MAC address Type Age Interfaces
ADMIN * Flood - All-members
ADMIN 00:17:cb:8b:20:xx Learn 1:55 ae0.0
ADMIN b0:c6:9a:6c:2d:xx Learn 2:37 ae0.0
ADMIN b0:c6:9a:6c:76:xx Static - Router
ADMIN b0:c6:9a:6c:78:xx Learn 3:05 ae0.0
ADMIN b0:c6:9a:6c:83:xx Learn 0 ae0.0
ADMIN b0:c6:9a:6c:83:xx Learn 0 ae0.0
BRIDGE * Flood - All-members
BRIDGE 00:17:c5:14:b9:xx Learn 0 ae0.0
user1@xxxxyy-1>
##################################################################
I would appreciate if you give me advice to achieve my purpose.
-
Permalink Reply by Takamasa Sasaki on
-
Please let me know if I need to explain more details. Thank you for your assistance.
© 2012 Created by Michael Wilde.
