I have a existing splunk table as:
JobAction
Status
TimeTaken(ms)
Records
Host
Delete
SUCCESS
100
50
Host1
Delete
SUCCESS
120
200
Host1
Insert
SUCCESS
500
30
Host1
Insert
SUCCESS
120
25
Host1
I want to get the totaltime and totalrecords based on jobaction like as follows:
JobAction
Status
Totaltime(ms)
TotalRecords
Host
Delete
SUCCESS
220
250
Host1
Insert
SUCCESS
620
55
Host1
I tried doing
|stats sum(Records) as TotalRecords by host,JobAction,Status
and was able to get total records but when i do the same for timetaken it's coming as empty.
Any suggestions on how to get total time and record both based on jobaction?
Are you saying you tried |stats sum("TimeTaken(ms)") as "Totaltime(ms)", sum(Records) as TotalRecords by host,JobAction,Status? Both calculations have to be done in the same stats command or you'll get empty results in the second stats call. That's because stats is a transforming command that removes any fields it doesn't use or create so any subsequent stats call won't have the same fields to work with.
Related
I have below log from my application:
BookData, {
id: 12312
}, appID : 'APP1', Relation_ID : asdas-12312
host = aws#asd. sourcetype=service_name
The entire log above is in the form of a single String. I want to create a table with the no. of times an appID has hit the service. i.e. I want to count the no. of events and group them by appID.
Basically, something like:
appID Count
APP1 23
APP2 25
APP3 100
I tried with below query, but it is not working. It is giving as 0 records found.
index=my_index sourcetype=service_name * | table appID Count | addColTotals labelfield=appID label="appID" count
As per my understanding, above query is not working because appID is not a label, but in that case, how do I go about forming the query with my desired result.
The query doesn't work in part because there is no Count field for the table command to display and no count field for the addcoltotals command to add to the results. To get a count you must tell Splunk to count fields by using the stats, eventstats, streamstats, or timechart command.
Try this:
index=my_index sourcetype=service_name
| stats count as Count by appID
I Created webi report result in crosstabe table,
when I try to get only the customer who made trans more than 50 in total like the customer 222 all the data less than 50 not show up,
example:
customer (222)
did two actions 1- 3/25/2018 with amount 209 gb,
2- 3/29/2018 with amount 14 gb,
the sum of both is (223),
I need to get all customer who made more than 50 actions in all days, when I try that by adding a filter the action in day 3/29/2018 is not shown & only the action in 3/25/2018 is what I get.
I am working on splunk dashboard. Below is the sample table and query
index="myindex" message="ApiImpl" "succeed=true"
| rex field=message "execution_time=(?.*)" | table method response_time | stats avg(response_time) as "avg", min(response_time) AS "min", max(response_time) As "max" by method
**method avg max min**
create 34 99 22
update 31 189 21
delete 30 69 29
Now on the result table if I click on 189 in update row. in the new or same window it should open me the same search along with method=update and response_time=189. Since the table is simple we can make out. But my table is very big when I click on particular cell it should open with the selected filter.
The new search result should open like below. Or should open log event directly with the update method which is taking max responce time 189
**method avg max min**
update 31 189 21
Could you please help me to provide a way like a query or table options to get the new search?
I have a set of related rows which I need to display in a single line. For example, the data I have is in different rows.
"ID" RecordDate "ExpType" "OrigBudget" "ActualCost"
1001 1-5-2017 Hardware $ 5000
1001 2-6-2017 Hardware $ 5200
The Original budget is approved at an earlier time for the same record but the Actual cost often differs and is recorded at a later date. I want the output as
ProjectID YearofEntry ExpenseType OrgBudget ActualCost <BR>
1001 2017 Hardware $ 5000 $ 5200 <BR>
I have tried group query to aggregate it based on ExpenseType and ProjectId but not successful in getting it into a single row so far.
if you always just have two rows for each ExpType - one with the original budget and one with the actual costs - you could simply use a GROUP BY:
SELECT ID AS ProjectID
,YEAR(RecordDate) AS YearofEntry
,ExpType AS ExpenseType
,MAX(OrigBudget) AS OrgBudget
,MAX(ActualCost) AS ActualCost
FROM yourtable
GROUP BY ID
,YEAR(RecordDate)
,ExpType
Try This:
SELECT ID,
Year([RecordDate]) AS YEARofEntry,
ExpType,
Sum(OrigBudget) AS SumOfOrigBudget,
Sum(ActualCost) AS SumOfActualCost
FROM youtable
GROUP BY ID,
Year([RecordDate]),
ExpType;
I have a temp table containing email traffic data between domains as follows:
[EmailId|SendingDomainId|SendingDomainName|RecipientDomainId|RecipientDomainName]
[500|600|abc.com|700|pqr.com]
[501|601|def.com|701|stu.com]
[501|601|def.com|700|pqr.com]
[502|600|abc.com|700|pqr.com]
That is:
email id 500 was sent from abc.com to pqr.com (1 sender, 1 recipient)
email id 501 was sent from def.com to stu.com and pqr.com (1 sender, 2 recipients)
email id 502 was sent from abc.com to pqr.com (1 sender, 1 recipient)
I am trying to compile a report which contains totals of emails sent between domains, to produce the following:
[SendingDomainId|SendingDomainName|RecipientDomainId|RecipientDomainName|Total]
[600|abc.com|700|pqr.com|2]
[601|def.com|701|stu.com|1]
[601|def.com|700|pqr.com|1]
I am trying this MERGE statement but the UPDATE part is not working. I am ending up with a final table containing the same rows as the source table.
MERGE #DomainsChord_TrafficData as T
USING #DomainsChord_DomainEmails AS S
ON (S.SendingDomainId = T.SendingDomainId AND
S.RecipientDomainId = T.RecipientDomainId)
WHEN MATCHED THEN UPDATE
SET T.TotalEmails = T.TotalEmails+1
WHEN NOT MATCHED BY TARGET THEN
INSERT (SendingDomainId, SendingDomainName, RecipientDomainId,
RecipientDomainName, TotalEmails)
VALUES (S.SendingDomainId, S.SendingDomainName,
S.RecipientDomainId, S.RecipientDomainName, 1);
Table #DomainsChord_TrafficData is an empty temp table before the merge. After the merge, it ends up with the same data as the source table (#DomainsChord_DomainEmails)
Is anyone able to spot where i am doing wrong?
Thanks in advance
If the table is empty before hand, then there is no Match for the update to execute, it is a NOT MATCHED and therefore the insert runs.
You don't need a MERGE in your case. You need a simple SELECT with a GROUP BY clause as follows:
SELECT SendingDomainId, SendingDomainName, RecipientDomainId, RecipientDomainName
, COUNT(*) AS Total
FROM #DomainsChord_DomainEmails
GROUP BY SendingDomainId, SendingDomainName, RecipientDomainId, RecipientDomainName;
OUTPUT
SendingDomainId SendingDomainName RecipientDomainId RecipientDomainName Total
--------------- ----------------- ----------------- ------------------- -----------
600 abc.com 700 pqr.com 2
601 def.com 700 pqr.com 1
601 def.com 701 stu.com 1
A MERGE statement is to merge data from two a source into a target. If your target (#DomainsChord_TrafficData) is empty, all data from source (#DomainsChord_DomainEmails) ends up in the target as you described.
Reference: MSDN MERGE T-SQL