The idea is just pile them all together, create a new ID that is the same field name for all, then let stats "group" then by that new id field. You could replace it with values(field1) as newnameforField1, values(field2) as. ` is really just shortcut to "doing all the fields". You can also combine a search result set to itself using the selfjoin command. You can use, like I did, an eval/case statement to collapse all possible field names that are your ID into one field you can stats on.Īnd the `stats values(*) as * by. Description You can use the join command to combine the results of a main search (left-side dataset) with the results of either another dataset or a subsearch (right-side dataset). | eval master_id = case(sourcetype=a, ID, sourcetype=b, PID, sourcetype=c, id) ) (sourcetype=a AND index=foo) OR (sourcetype=b AND index=bar) OR (sourcetype=c) I hope that helps.If PID is equal to ID (I hope it is, or else you either didn't give us enough information to solve the problem, or the problem is unsolveable because they're not actually related records. This should return your values from your first and second joins, but leave the 3rd timestamp blank. If you want all of the calls to show, but if they don't include a "hello" or a "how", it should leave those fields blank, then you want to use a left join. There are no names that have records in all 3 joined segments. ![]() This is because the (default:inner) join fails. [ search index=_internal sourcetype=splunk_web_access_NOT_THERE If you replace one of the sourcetypes with something that doesn't exist. When you run this you get a hostname and 3 timestamps based on the timestamps records for the 3 sourcetypes named. | eval first_how=strftime(first_how,"%c") ] [ search index=_internal sourcetype=splunk_web_access | eval first_hello=strftime(first_hello,"%c") If found, I need to check if it is available in SourceTypeC as well and extract the values 'Linespecs, Linedescription, Other' from SourceTypeC. [ search index=_internal sourcetype=splunkd_ui_access Hi Everyone, I am trying to check a certain a ticket-series in SourcetypeA or SourcetypeB. | eval call_time=strftime(call_time,"%c") | stats latest(host) as name, latest(_time) as call_time Here's something that should return results for you. I'm not sure if I understand the question exactly, but let me try to take a swing at it.įirst, let's get a query that works. Let me know if I need to clarify anything else. In other words, I want to find the first time that xxname said hello in conversation and how in messages.ĭisplay a table that shows: name,TIME of the last call (corresponding to that name), TIME of the first time the word hello was said in the values of the conversation field, TIME of the first time the word how was said in the values of the messages field. These two fields contain values that look like paragraphs. When it comes to messages and conversations, I want to find the first time that each field had a value containing the specific word(hello and how correspondingly). I can see how that contradicts the purpose of 'join' but I couldn't find another way to do it.ġ. I want to find a way that it displays all the events and that if a certain time (or word) cannot be found then it will just stay blank. ![]() fields source, sourcetype, host, error See also fields command fields. As I added the 'join' I could tell that the number of statistics decreased. One way Splunk can combine multiple searches at one time is with the append. ![]() Both first_hello and first_how, are displaying the same time.Ģ. | table name, call_time, first_hello, first_howġ. ![]() | stats earliest(_time) as first_how by name [ search index=xxx source=xxx sourcetype=xxx messages="\*how\*" | stats earliest(_time) as first_hello by name [ search index=xxx source=xxx sourcetype=xxx conversation="\*hello\*" | stats latest(name) as name, latest(call_time) as call_time Here's what I have so far: index= xxx source=xxx sourcetype=xxx However, I am running into error when I use the earliest command twice. I am a new splunk user and I want to create a stats table showing different findings of an event using fields.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |