1/23/2024 0 Comments In splunk query![]() ![]() I have tried to group the results with the help of 'by' clause as "by host" but it is not giving the correct results. You ingress all machine data to Splunk indexer, and then you can search the data, and do more things like. But I want top 10 highest values of Requests for each host (such as ProdA, ProdB, ProdC and ProdD). In short, Splunk is a search engine for machine data. indexfoo Always specify an index hostnode-1 AND 'userCache:' rex 'userCache:s (w+)' dedup user.First, however, we need to extract the user name into a field. The above query is giving me the top 10 highest Requests in common among all hosts. That calls for the dedup command, which removes duplicates from the search results. ' 07:10:00' '71653' '19141836' '786602' '560' I want to perform a search where I need to use a static search string + input from a csv file with usernames: Search query- indexsomeindex hosthostp 'STATICSEARCHSTRING' Value from users.csv where the list is like this- Please note that User/UserList is NOT a field in my Splunk: UserList User1 User2 User3. So the result is: '_time' 'Requests' 'Total Response Time' 'Maximum Response Time' '95%ile of Response Time' Using boolean and comparison operators This example shows field-value pair matching with boolean and comparison operators. I have tried to group the results with the help of by clause as 'by host' but it is not giving the correct results. Field-value pair matching This example shows field-value pair matching for specific values of source IP (src) and destination IP (dst). But I want top 10 highest values of Requests for each host (such as ProdA, ProdB, ProdC and ProdD). Complex queries involve the pipe character, which feeds the output of the previous query into the next. SPL2 supports both block comments and line comments. The above query is giving me the top 10 highest Requests in common among all hosts. Common Search Commands SPL Syntax Begin by specifying the data using the parameter index, the equal sign, and the data index of your choice: indexindexofchoice. |timechart span=1m count(Req) as Requests, sum(Resp_Time_MS) as "Total Response Time", max(Resp_Time_MS) as "Maximum Response Time", p95(Resp_Time_MS) as "95%ile of Response Time" You can add comments to your SPL2 search string to explain a portion of a search, or to use as a troubleshooting technique. ![]() So using the below query: index=x host=prod* sourcetype=y I am trying to fetch top 10 max Requests count of events with their corresponding response time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |