Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Username1
Username1
Path Finder
Member since:
07-22-2020
08-13-2020
Community Statistics
| Posts | 24 |
| Solutions | 2 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 07-22-2020 |
Activity Feed
- Posted Only want most recent ticket - dedup? on Splunk Search. 08-13-2020 01:35 PM
- Tagged Only want most recent ticket - dedup? on Splunk Search. 08-13-2020 01:35 PM
- Tagged Only want most recent ticket - dedup? on Splunk Search. 08-13-2020 01:35 PM
- Posted Re: If column is certain value but the other is null. on Splunk Search. 08-10-2020 04:07 PM
- Posted Re: If column is certain value but the other is null. on Splunk Search. 08-10-2020 03:17 PM
- Posted If column is certain value but the other is null. on Splunk Search. 08-10-2020 02:58 PM
- Karma Re: Count and sum fourth column if second and third column are certain value and group by first column for thambisetty. 08-06-2020 12:51 PM
- Karma Re: Rewrite/Correspond MySQL Queries in Splunk for thambisetty. 08-06-2020 12:41 PM
- Karma Re: Rewrite/Correspond MySQL Queries in Splunk for thambisetty. 08-06-2020 12:41 PM
- Posted Re: Rewrite/Correspond MySQL Queries in Splunk on Splunk Search. 08-06-2020 12:40 PM
- Karma Re: Rewrite/Correspond MySQL Queries in Splunk for thambisetty. 08-06-2020 12:40 PM
- Karma Re: Rewrite/Correspond MySQL Queries in Splunk for thambisetty. 08-06-2020 12:40 PM
- Posted Re: Rewrite/Correspond MySQL Queries in Splunk on Splunk Search. 08-06-2020 12:37 PM
- Posted Re: Rewrite/Correspond MySQL Queries in Splunk on Splunk Search. 08-06-2020 12:27 PM
- Posted Re: Rewrite/Correspond MySQL Queries in Splunk on Splunk Search. 08-06-2020 12:01 PM
- Posted How to rewrite/correspond MySQL queries in Splunk? on Splunk Search. 08-06-2020 11:30 AM
- Tagged How to rewrite/correspond MySQL queries in Splunk? on Splunk Search. 08-06-2020 11:30 AM
- Posted Re: Count and sum fourth column if second and third column are certain value and group by first column on Splunk Search. 08-06-2020 09:48 AM
- Posted Re: Count and sum fourth column if second and third column are certain value and group by first column on Splunk Search. 08-06-2020 09:07 AM
- Posted Re: Count and sum fourth column if second and third column are certain value and group by first column on Splunk Search. 08-06-2020 08:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-13-2020
01:35 PM
Hey Everyone, Everyday Splunk is ingesting a csv of information, and we are doing charts to show when/how they changed. The table consist if "Month","Project_Name", "Status", "Resolution", "Points", and of course "_time". So we are trying to see that if the status and resolution changes then the project_name gets points, and visually its just a stacked bar chart where the "Total Points" column stays the same but the "Gained Points" column grows over the course of the month. Basically if we have duplicate Project_Name that vary in Status and Resolution, how do we only show the row with the most recent _time Example: Month Project_Name Status Resolution Points _time 1 Project_Dog Open Open 2 2020-08-11 1 Project_Dog Open Open 2 2020-08-12 1 Project_Dog Done Done 2 2020-08-13 1 Project_Bird Open Open 1 2020-08-12 1 Project_Cat Open Open 3 2020-08-12 1 Project_Cat Done Done 3 2020-08-13 1 Project_Bird Open Open 1 2020-08-13 According to this example, Project_Dog gained 2 points for Month 1, and Project_Cat gained 3 points for Month 1. How do I get this example to show that Total Points = 6 and Gained Points = 5?
... View more
08-10-2020
04:07 PM
@to4kawa So, I get that you created a random sample of numbers for my column Score and incorporated, but then I got lost at your example using mvindex. So let's say that is Status is 'Done' and Resolution is blank, I want it to return a 1, and then if not return a zero. How would you change this example to make it work properly. | eval done_null = if(Status="Done" AND Resoloution!="*","1","0")
| stats sum(done_null) as Done_Null by time
| table time, Done_Null
... View more
08-10-2020
03:17 PM
hi @to4kawa Score is another field in my data set. It comprises of numbers from 0-10
... View more
08-10-2020
02:58 PM
Hi Everyone, This might be straight forward and I'm missing it but my current query is below and I am not able to get the correct results, any thoughts? End goals is to get all with status of Done and a Resolution of blank. | eval done_null = if(Status="Done" AND Resoloution!="*",Score,"0")
| stats sum(done_null) as Done_Null by time
| table time, Done_Null
... View more
08-06-2020
12:40 PM
index=index
| table Month, Project, Status, Accepted, Points
| eval done = if(Status= "Done" AND Accepted = "Done",Points,'0')
| stats sum(Points) as all_points, sum(done) as done_points by Month The error was in the double and single quotes, that is my mistake...Thanks you @thambisetty for all of your help!
... View more
08-06-2020
12:37 PM
Here is my current query index=index
| table Month, Project, Status, Accepted, Points
| eval done = if(Status= 'Done' AND Accepted = 'Done',Points,'0')
| stats sum(Points) as all_points, sum(done) as done_points by Month I removed the last |stats and it shows theres no results for "done".
... View more
08-06-2020
12:27 PM
@thambisetty The exact field names are Status and Accepted. I have made sure that the field names are correct and the single quotes are correct as well.
... View more
08-06-2020
12:01 PM
@thambisetty Thanks for the response I ran your query and it is showing a blank for done_points It returns the below, but done_points is all null Month | all_points| done_points Jan | 10 | Feb | 20 | Any thoughts on why that may be happening?
... View more
08-06-2020
11:30 AM
Hey community I have my data in both MySQL and in Splunk. I'm trying to mimic the MySQL queries in Splunk so I can make a visual. My Data has five columns,:"Month", "Project", "Status", "Completion", "Points". The first query sums the column "Points" only if that row includes a Status and Completion value of "Done" and then grouping it by Month. The second query is summing the column points just by the Month. The problem I'm running into is having them together in one Splunk Query as I'm trying to have both tables in one graph. Any suggestions?
select Month,sum(Points) from TABLE
where Status = "Done"
and Completion = "Done"
group by Month
;
&
select Month,sum(Points)from TABLE
group by Month
;
... View more
08-06-2020
09:48 AM
@thambisetty I tried running that and it returned "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”1”,”0”)'." If I do that how would the `done` eval be able to sum all of the Values, as Values range from .25 - 10
... View more
08-06-2020
09:07 AM
@thambisetty So my data structure has four columns: "Month", "Status", "Accepted", "Value". The two things I'm trying to graph are: 1) the total values per month no matter what Status/Accepted, 2) the total values per month where "Status=Done and Accepted = Done".
... View more
08-06-2020
08:58 AM
@thambisetty Is there no way I can have one query? The end goal is to have a visual
... View more
08-06-2020
08:52 AM
Hi @thambisetty Thanks for responding! If i do that how will I count where Status = 'Not Done" by Month?
... View more
08-06-2020
08:23 AM
So my data structure has four columns: "Month", "Status", "Accepted", "Value". As the title suggest I'm trying to determine two things: 1) the total values per month, 2) the total values per month where "Status=Done and Accepted = Done". I have the query working for the first one but I'm having difficulty with the second. Does anyone have any ideas how to do this? Thanks!
index=index
|table Month, Status, Accepted, Value
| eval _time=strptime(scan_date,"%Y-%m-%d")
| stats sum(Value) as total_value_per_month by Month
... View more
07-29-2020
08:54 AM
As the title suggest I am using the same color codes for red/grey/green for both of the graphs but the Bar Chart is how the color looks, and the Area chart makes it...more transparent looking and a lighter tint. How do I get the Area Chart color to be identical to the Bar Chart? Thanks in advance
... View more
- Tags:
- color
Labels
- Labels:
-
Analytics Workspace
-
metrics
07-28-2020
12:33 PM
To whomever may need this out there the correct function to use was dc. I didn't need it for closed because I was only counting those once to begin with. index=stuff
| bin _time span=1month
| stats dc(eval(status="OPEN")) as OPEN, count(eval(status="CLOSED")) as CLOSED by reportId, reportName, _time
| stats sum(CLOSED) as CLOSED, sum(OPEN) as OPEN by _time
| eval Rate=round(CLOSED/OPEN,3)*100
... View more
07-28-2020
08:41 AM
So suppose that everyday Splunk takes in a report that houses 9 different fields, one of which is called 'status'. Status has the option of being 'New', 'Closed', or 'Open'. Because the report is sent to Splunk everyday, a report with ID =1 will indicate "Open" everyday that it is "Open", so (for example) from 1/1/20, 1/2/2020,...,1/5/20 it is 'Open' and on 1/6/20 it is "Closed". So what I'm trying to do is sum up all unique reportId's for a given month, so from my example it should only return a value of 1 for 'OPEN' and 1 for "Closed' when I sum it up for the month of January. My current query is below but this counts the number of days a reportId was 'Open' that month. So my query is returning 5 from my example above for 'OPEN'. The last part of the query I wanted to find the 'Rate" of 'Open'/'Closed' but as you guessed it isn't doing it for all of them and only individually. index=base
| bin _time span=1month
| stats count(eval(status="Open")) as OPEN, count(eval(status="Closed")) as CLOSED by reportName, _time, reportId
| eval Rate=abs(OPEN/CLOSED) Does anyone have any suggestions with how to solve my problem, any suggestions would be very much appreciated. Thanks in advance. (End goal is a timechart of OPEN, CLOSED, Rate with the x axis as time in months and the y be total number of unique reportIds for that month)
... View more
07-24-2020
12:36 PM
@to4kawa That worked amazingly and it returns exactly what I was looking for! I don't fully understand your query, but I'm going to go look into how 'bin' operates and try to reconstruct your logic. Thank you again for assisting me with this, much appreciated.
... View more
07-24-2020
12:26 PM
Hi @to4kawa , Thanks for responding to my question as well. I ran your query and it returns the sum of the numbers of the month (see the picture), which I believe is being caused by the span =1mon. I ran the numbers manually and the average of OPEN for January should be 287. There is a csv everyday of each month that shows what reports are OPEN (so 31 csv in January), so maybe we should be doing span=1d and then doing an average of each month...unsure if thats the best path forward but I'm open for suggestions.
... View more
- Tags:
- eventstats
07-24-2020
12:09 PM
Hi @richgalloway , thank you for responding to my question. I ran your search query as the code below to see what the results would be. You're query works that it gives me the final average for all of the months, but not the average for each month. How do you think we can modify this to have an average of "OPEN" for every month? Does it have something to do with the span=1mon? Look forward to hearing your thoughts index=foo
| timechart span=1mon count(report_date) by status
| appendpipe [stats avg(OPEN) as avgOPEN | eval _time="Average"]
| eval difference=abs(OPEN-CLOSED)
... View more
07-24-2020
10:02 AM
So suppose that everyday Splunk takes in a report that houses 9 different fields, one of which is called 'status'. Status has the option of being 'New', 'Closed', or 'Open'. I'm trying to show a time-chart that shows the average count per month of reports that have 'Closed' and'Open'. status , along with the difference of the two (everyday). I have found how to do the difference between'Open' and 'Closed'. But I cannot figure out how to find the monthly average for 'Open' and 'Closed', does anyone have any ideas how to query this? index=blah... | timechart span=1mon count(report_date) by status | eval difference=abs(OPEN - CLOSED) This is where I'm stuck, how do I get the monthly average of the particular status fields?
... View more
Labels
- Labels:
-
count
-
field extraction
-
fields
-
stats
-
timechart
07-22-2020
10:40 AM
That worked perfectly. Thank you!
... View more
07-22-2020
09:11 AM
So suppose that everyday Splunk takes in a report that houses 9 different fields, one of which is called 'status'. Status has the option of being 'New', 'Closed', or 'Open'. I'm trying to show a time-chart that shows the count per day of reports that have 'Closed' and 'New' status , along with the difference of the two (everyday). So a file with report_date '2020-07-23' is ingested in Splunk and shows we had 5 'New' reports, 7 'Closed' Reports, so the difference should be 2 for that day. How do I go about doing this in my search query? index=blah... | timechart count(report_date) by status| fields - OPEN This is where I'm stuck, how do I get the difference of only NEW and CLOSED included into my graph. Thanks in advance
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-13-2020
05:51 PM
|
