When I search "SearchText1" then lets say there are 20 records.
When I search "SearchText2" then there are 10 results
Then I need to display a single value "2" in the dashboard
How do I formulate the Splunk query?
I tried below query where the numerator count is evaluated correctly but something is wrong with the denominator count related part:
index=something "searchText1"
| stats count as NumeratorCount
| eval numerator=NumeratorCount
| append [ | search index=something "searchText2"
| stats count as DenominatorCount
| eval denominator=DenominatorCount ]
| eval result=round(if(denominator=0,0,numerator/denominator), 2)
| table result
When you remove the table command, you'll see the numerator and denominator are in separate results. The means the eval command computing 'result' is dividing numerator by NULL and NULL by denominator.
The fix is to combine the two rows using appendcols as in this example.
index=_internal "service_health_monitor"
| stats count as NumeratorCount
| eval numerator=NumeratorCount
| appendcols [ | search index=_internal "service_health_metrics_monitor"
| stats count as DenominatorCount
| eval denominator=DenominatorCount ]
| eval result=round(if(denominator=0,0,numerator/denominator), 2)
| table result
Related
I have a table generated by chart that lists the results of a compliance scan
These results are typically Pass, Fail, and Error - but sometimes there is "Unknown" as a response
I want to show the percentage of each (Pass, Fail, Error, Unknown), so I do the following:
| fillnull value=0 Pass Fail Error Unknown
| eval _total=Pass+Fail+Error+Unknown
<calculate percentages for each field>
<append "%" to each value (Pass, Fail, Error, Unknown)>
What I want to do is eliminate a "totally" empty column, and only display it if it actually exists somewhere in the source data (not merely because of the fillnull command)
Is this possible?
I was thinking something like this, but cannot figure out the second step:
| eventstats max(Unknown) as _unk
| <if _unk is 0, drop the field>
edit
This could just as easily be reworded to:
if every entry for a given field is identical, remove it
Logically, this would look something like:
if(mvcount(values(fieldname))<2), fields - fieldname
Except, of course, that's not valid SPL
could you try that logic after the chart :
``` fill with null values ```
| fillnull value=null()
``` do 90° two time, droping empty/null ```
| transpose 0 include_empty=false | transpose 0 header_field=column | fields - column
[edit:] it is working when I do the following but not sure it is easy to make it working on all conditions
| stats count | eval keep=split("1 2 3 4 5"," ") | mvexpand keep
| table keep nokeep
| fillnull value=null()
| transpose 0 include_empty=false | transpose 0 header_field=column | fields - column
[edit2:] and if you need to add more null() could be done like that
| stats count | eval keep=split("1 2 3 4 5"," "), nokeep=0 | mvexpand keep
| table keep nokeep
| foreach nokeep [ eval nokeep=if(nokeep==0,null(),nokeep) ]
| transpose 0 include_empty=false | transpose 0 header_field=column | fields - column
Let's say I have the following chart:
Input chart
I'm interested only in the 2nd and 4th fields in the 'version' column (e.g. 22.180.0.2)
I want to call all events which has:
Maximum value on both 2nd and 4th fields - as "BEST" (in the example: 22.180.1.3)
(NOT max value on 2nd field) AND (Maximum value on 4th field from each one of the values before the AND, for example 170, 160) - as "GOOD" (in the example: 22.170.0.2,22.160.0.3)
All the rest - as "OK".
I've managed to separate the fields using regex, but couldn't do the differentiation.
Thanks a lot!
I think you want
| rex field=version "(?<first>[0-9]+)\.(?<second>[0-9]+)\.(?<third>[0-9]+)\.(?<fourth>[0-9]+)"
| eventstats max(second) as max_second,
| eventstats max(fourth) as max_fourth by second
| eval status=if(second=max_second and fourth=max_fourth,"BEST",if(second!=max_second and fourth=max_fourth,"GOOD","OK"))
You need two eventstats commands because one of them groups by the second part and the other one doesn't group at all. I don't think there is any way to do it with one eventstats.
Here is a run-anywhere example:
| makeresults
| eval _raw="
index version
1 22.180.0.1
2 22.180.0.2
3 22.180.0.3
4 22.170.0.1
5 22.170.0.2
6 22.160.0.1
7 22.160.0.2
8 22.160.0.3
9 22.160.0.4
"
| multikv forceheader=1 fields index version
| table index version
| rex field=version "(?<first>[0-9]+)\.(?<second>[0-9]+)\.(?<third>[0-9]+)\.(?<fourth>[0-9]+)"
| eventstats max(second) as max_second,
| eventstats max(fourth) as max_fourth by second
| eval status=if(second=max_second and fourth=max_fourth,"BEST",if(second!=max_second and fourth=max_fourth,"GOOD","OK"))
| fields - first second third fourth max_first max_second max_third max_fourth
I have used this query, but I cannot get the time chart to show the trend of the CPU. appears to be only showing the current cpu. my objective is to show the trend from each computer(host)
Telemetry_system
| where hostname_s contains "computer-A"
| where TimeGenerated > ago(5m)
| summarize
by
hostname,
callBackUrl,
cpu_d
| summarize Aggregatedcpu= avg(cpu_d) by hostname, callBackUrl
| render timechart
If I understand your intention correctly, try this:
Telemetry_system
| where hostname_s contains "computer-A"
| where TimeGenerated > ago(5m)
| summarize Aggregatedcpu = avg(cpu_d) by strcat(hostname, "_", callBackUrl), bin(TimeGenerated, 1s)
| render timechart
I am new to Splunk dashboard. I need some help with this kind of data.
2020-09-22 11:14:33.328+0100 org{abc} INFO 3492 --- [hTaskExecutor-1] c.j.a.i.p.v.b.l.ReadFileStepListener : [] read-feed-file-step ended with status exitCode=COMPLETED;exitDescription= with compositeReadCount 1 and other count status as: BatchStatus(readCount=198, multiEntityAccountCount=0, readMultiAccountEntityAdjustment=0, accountFilterSkipCount=7, broadRidgeFilterSkipCount=189, writeCount=2, taskCreationCount=4)
I wanted to have statistics in a dashboard showing all the integer values in the above log.
Edit 1:
I tried this but not working.
index=abc xyz| rex field=string .*readCount=(?P<readCount>\d+) | table readCount
See if this run-anywhere example helps.
| makeresults
| eval _raw="2020-09-22 11:14:33.328+0100 org{abc} INFO 3492 --- [hTaskExecutor-1] c.j.a.i.p.v.b.l.ReadFileStepListener : [] read-feed-file-step ended with status exitCode=COMPLETED;exitDescription= with compositeReadCount 1 and other count status as: BatchStatus(readCount=198, multiEntityAccountCount=0, readMultiAccountEntityAdjustment=0, accountFilterSkipCount=7, broadRidgeFilterSkipCount=189, writeCount=2, taskCreationCount=4)"
`comment("Everything above just sets up test data")`
| extract kvdelim=",", pairdelim="="
| timechart span=1h max(*Count) as *Count
I solved this using
index=xyz |regex ".*fileName=(\s*([\S\s]+))" | rex field=string .*compositeReadCount=(?P<compositeReadCount>\d+) |regex ".*readCount=(?P<readCount>\d+)" | regex ".*multiEntityAccountCount=(?P<multiEntityAccountCount>\d+)" | regex ".*readMultiAccountEntityAdjustment=(?P<readMultiAccountEntityAdjustment>\d+)" | regex ".*accountFilterSkipCount=(?P<accountFilterSkipCount>\d+)" | regex ".*broadRidgeFilterSkipCount=(?P<broadRidgeFilterSkipCount>\d+)" | regex ".*writeCount=(?P<writeCount>\d+)" | regex ".*taskCreationCount=(?P<taskCreationCount>\d+)" | regex ".*status=(\s*([\S\s]+))" | table _time fileName compositeReadCount readCount multiEntityAccountCount readMultiAccountEntityAdjustment accountFilterSkipCount broadRidgeFilterSkipCount writeCount taskCreationCount status
I want to use the same labels from a SQLAlchemy table, to re-aggregate some data (e.g. I want to iterate through mytable.c to get the column names exactly).
I have some spending data that looks like the following:
| name | region | date | spending |
| John | A | .... | 123 |
| Jack | A | .... | 20 |
| Jill | B | .... | 240 |
I'm then passing it to an existing function we have, that aggregates spending over 2 periods (using a case statement) and groups by region:
grouped table:
| Region | Total (this period) | Total (last period) |
| A | 3048 | 1034 |
| B | 2058 | 900 |
The function returns a SQLAlchemy query object that I can then use subquery() on to re-query e.g.:
subquery = get_aggregated_data(original_table)
region_A_results = session.query(subquery).filter(subquery.c.region = 'A')
I want to then re-aggregate this subquery (summing every column that can be summed, replacing the region column with a string 'other'.
The problem is, if I iterate through subquery.c, I get labels that look like:
anon_1.region
anon_1.sum_this_period
anon_1.sum_last_period
Is there a way to get the textual label from a set of column objects, without the anon_1. prefix? Especially since I feel that the prefix may change depending on how SQLAlchemy decides to generate the query.
Split the name string and take the second part, and if you want to prepare for the chance that the name is not prefixed by the table name, put the code in a try - except block:
for col in subquery.c:
try:
print(col.name.split('.')[1])
except IndexError:
print(col.name)
Also, the result proxy (region_A_results) has a method keys which returns an a list of column names. Again, if you don't need the table names, you can easily get rid of them.