![]() hence I wanted to reduce the set of jobs(by using sub query) and then execute transaction on it. In this I was unable to switch the queries, because running transaction on the whole set was taking very long time. First of all we need to get ID of our search request (make. It’s really easy search'search index'indexnessus' host'192.168.56.50''. Index=ndxA sourcetype=srctypA|transaction id startswith="Session log started" endswith="Session log end"|table id _raw When you have already learned how to make search requests in Splunk GUI, it may be nice to figure out how do the same from your own scripts using the Splunk REST API. Templates Query-Matches-Number, App-Monitoring-Splunk-Query-Api, Check number of results for a query. (Optional) In the Description field, enter a description for the input. (Optional) In the Source name override field, enter a source name for events that this input generates. To reanimate the results of a previously run search, use the loadjob command. The savedsearch command always runs a new search. To facilitate this I am using a subsearch that returns only the ids where failures have happened and then transaction is applied on those ids(here ids are already an extracted field). In the Name field, enter a name for the token. The savedsearch command is a generating command and must start with a leading pipe character. The example URL below applies a simple filter that searches for. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. After performing the entire process, search for the data which are in RESTful responses that are. After that, click on ‘NEW’ button to create a new REST input & fill up the fields that are noticed. ![]() Then, perform the configuration & then navigate to Manager, then Data Inputs & then to REST. A subsearch is a search that is used to narrow down the set of events that you search on. Then go to SPLUNK HOME/etc/apps & restart Splunk. What I want from splunk is a transaction only for failure logs. This article shows how to use the API Server to request JSON-formatted Splunk data in Node. In this section you will learn how to correlate events by using subsearches. Link URL, Optional The Link URL that links to the Splunk web interface, when available. Below is explanation of what I am trying to do and sample data Splunk API Base URL, The base URL you acquired from the Splunk site. search errorcode table transactionid AND exception table timestamp, transactionid, exception. search transactionid'1' So in our example, the search that we need is. Thanks a lot for taking time out for this. So how do we do a subsearch In your Splunk search, you just have to add.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |