Videos

  • Add Videos
  • View All

Top Content 

1 Count failures and success via transaction

Count failures and success via transaction

Latest Activity

Michael Wilde replied to Nikita's discussion Count failures and success via transaction
"How are these transactions linked together... by a field called "ID"?  If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it.   Paste some samples and…"
17 hours ago
Linus Myrefelt updated their profile
Tuesday
Marie updated their profile
Monday
Marie is now a member of splunkninja
Monday
Welcome Them!
Profile IconJitter and matthew arguin joined splunkninja
May 18
Profile IconMatthew Carter and Nikita joined splunkninja
May 17
Nikita posted a discussion

Count failures and success via transaction

Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
May 17
1 Comment
Andrea Judy is now a member of splunkninja
May 16
Welcome Them!

Splunk equivalent of the *nix 'cut -d' ' -f1-5

Hello,

I just started playing with splunk. I looked thru the docs and unable to find any commands that allow me to do the *nix equivalent of 'cut -d' ' -f1,5'
Any comments appreciated
Thanks
Harish

Views: 47

Reply to This

Replies to This Discussion

Permalink Reply by Michael Wilde on November 12, 2009 at 8:59pm
Harish..

Are you attempting to do field extraction---a well written regex should be able to reproduce what you want... Got a sample? Post it and we'll see if we can figure it out.
Permalink Reply by harish on November 13, 2009 at 3:41am
Micheal

I search for "SiteWS" and get the below event

"Timestamp: 11/12/2009 2:09:41 PM Title: (SiteWS) Message: [@SiteIdService getWebServiceResult()] [SessionID: 5wrjjxk0osv33k] [TheNewCustomer: CustomerId=51234567888&OrderId=bf8130a6-d916-4fd4-b2d2-c48624&AccountFlag=True&UserName=test] [Ticks: 128201781] [Took: 0 milliseconds] Called Write() on the request stream to [SiteUrl: http://test.com/v2/services/calculate]"

Now, I need to get the "Took: 0 milliseconds" and the "http://test.com/v2/services/calculate"
Thanks
Harish
Permalink Reply by Michael Wilde on November 13, 2009 at 8:45am
You may want to give the "Extract Fields" option on the event menu (right next to each event's timestamp. It will build a regex for you and persist it--so its always extracted...

However, if you're event structure is basically the same for every event. This should work (at search time). Let me know and i will show you how to persist it

SiteUrl | rex "\[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\] \[\S+(?[^\]]*)\s\w+\][^\[]*\[\S+(?[^\]]*)\]"

In a nutshell, rex is a search command that lets you temporarily extract fields at search time using regex -- but if you're not a regex ninja, use that Field Extract thing i mentioned.

And watch my video on "All My Regexs Live in Texas". It may be helpful.

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service