Splunk

Timestamps

epoch to human

eval human_time=strftime(epoch_time, ,"%m/%d/%y %H:%M:%S") | table _time, human_time

human to epoch

rex  "timeStamp=(?<human_time>\d{4}-\d{2}-\d{2}.\d{2}:\d{2}:\d{2}\.\d{3})"
| eval epochTime=strptime(human_time, "%Y-%m-%d %H:%M:%S.%3Q")*1000
| table epochTime

multi value rex

| rex max_match=3 "amount:(?<amount>[\d\.]+),"
| eval IN = mvindex(amount, 0)
| eval OUT = mvindex(amount, 1)
| eval BALANCE = mvindex(amount, 2)

reading from a previous row

HealthMonitor 
| rex field=log "heap.memory.used\/total=(?<heapPerc>[\d.]+)%"
| rex field=log "thread.count=(?<threadCount>[\d]+),"
| rex field=log "minor.gc.count=(?<minorGcCount>[\d]+)," 
| rex field=log "minor.gc.time=(?<minorGcTime>[\d]+)ms,"
| rex field=log "major.gc.count=(?<majorGcCount>[\d]+),"
| rex field=log "major.gc.time=(?<majorGcTime>[\d]+)ms,"
| stats avg(majorGcTime) as time by _time
| streamstats current=f window=1 last(time) as prev
| eval diff= (time-prev)/1000
| table _time diff

append cols

This example allows an stack-area graph of request by website with a chart overlay of the response time 90% for all websites.

| <search term>
| timechart count(requests) as "Number of requests" by website
| appendcols [ search  <search term> 
  | stats avg(requests) as "90% time" by _time ]

show multiple status code by website

| timechart count(eval(statusCode="OK")) as "OK"  count(eval(statusCode!="OK"))  as "NOT OK" by website

How to list all the indexes ?

| eventcount summarize=false index=* | dedup index | fields index

PreviousSha values NextSpring boot

Last updated 5 years ago