https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456503#M56201 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/146667">@mnikhil7692</a> hardcoding was only to generate sample data as per your question as we will not have same data as your system. Please provide some sample events (mock/anonymize any sensitive information).</P> <P>Unless we know what your event looks like and what are your fields it will not be easy for us to assist, however, based on your query provided <STRONG>try the following and confirm</STRONG>:</P> <PRE><CODE> index="MyIndex" sourcetype="MySourceType" source="MySource" | eval _time=strptime(creation_date_time,"%m/%d/%Y") | timechart count(eval(FLAG=="O")) as Outbound count(eval(FLAG=="I")) as Inbound dc(provider_name) as Providers </CODE></PRE> <P>OR May be the following if you do not need Time as epoch time and your existing creation_date_time is in <CODE>MM/DD/YYYY</CODE> format:</P> <PRE><CODE> index="MyIndex" sourcetype="MySourceType" source="MySource" | chart count(eval(FLAG=="O")) as Outbound count(eval(FLAG=="I")) as Inbound dc(provider_name) as Providers by creation_date_time </CODE></PRE> <P>Following is the run anywhere example based on cooked up data as per my understanding of your data. Each event has creation_date_time in MM/DD/YYYY format. FLAG O and I denote Outbound and Inbound respectively and provider_name can repeat, where you want unique provider count. </P> <P><CODE>PS: Intention of run anywhere search is to demo the required output. Instead of commands from | makeresults till | KV, you will use your main search using index="MyIndex" sourcetype="MySourceType" source="MySource", as mentioned above.</CODE></P> <PRE><CODE>| makeresults | fields - _time | eval data="CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;" | makemv data delim=";" | mvexpand data | rename data as _raw | KV | eval _time=strptime(CREATION_DATE_TIME,"%m/%d/%Y") | timechart count(eval(FLAG=="O")) as Outbound count(eval(FLAG=="I")) as Inbound dc(provider_name) as Providers </CODE></PRE> Tue, 29 Sep 2020 21:52:33 GMT niketn 2020-09-29T21:52:33Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456500#M56198 <P>Hi there, </P> <H2>Per the attached picture, i just put this data in Excel and got this chart out. However, i was not able to get this into Splunk. Visualization does not show me anything.<IMG src="https://community.splunk.com/storage/temp/255329-sql2dshbrd.jpg" alt="alt text" />Obviously, i am missing something. Please advise.</H2> <HR /> <P>Here's the query I'm running, which generates the same results :</P> <P>SELECT <BR /> TRUNC(CREATION_DATE_TIME),<BR /> COUNT(1) TOTAL_PROCESSES, <BR /> COUNT( distinct PROVIDER_name ) DISTINCT_PROVIDERS, <BR /> SUM(CASE WHEN FLAG = 'O' THEN 1 END ) OUTGOING,<BR /> SUM(CASE WHEN FLAG = 'I' THEN 1 END ) INCOMING,<BR /> FROM<BR /> <MY_TABLE> <BR /> GROUP BY TRUNC(CREATION_DATE_TIME) </MY_TABLE></P> <HR /> <HR /> <P>here's what i am running in Splunk :</P> <PRE><CODE>index="MyIndex" sourcetype="MySourceType" source="MySource" | eval x_out=if((FLAG=="O"),1,0), x_in=if((FLAG=="I"),1,0) | convert ctime(creation_date_time) as cdt timeformat=%m/%d/%y | timechart span=7d dc(provider_name) by cdt | stats sum(x_out) as Outbound sum(x_in) as Inbound dc(provider_name) as Providers </CODE></PRE> Tue, 29 Sep 2020 21:51:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456500#M56198 mnikhil7692 2020-09-29T21:51:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456501#M56199 <P>@mnikhil7692 what is the source of your data? Are you indexing spreadsheet data or any other data to Splunk or is it coming from CSV which has been uploaded to Splunk lookup file.</P> <P>If it is indexed to Splunk what do the events look like? Do you have fields already extracted?</P> <P>If the data shows up exactly the way you have displayed in your table, and there is one event per day, just the <CODE>table</CODE> command should work.</P> <P>Following is a run anywhere example which uses command from <CODE>| makeresult</CODE> till <CODE>| KV</CODE> to generate some sample events as per data. Then uses table to plot the table. You can change visualization to Line Chart in Splunk to see the result:</P> <PRE><CODE>| makeresults | eval data="CREATION_DATE_TIME=10/24/2018,TOTAL_PROCESS=96,DISTINCT_PROVIDERS=21,OUTGOING=38,INCOMING=58;CREATION_DATE_TIME=10/25/2018,TOTAL_PROCESS=96,DISTINCT_PROVIDERS=21,OUTGOING=37,INCOMING=59;CREATION_DATE_TIME=10/26/2018,TOTAL_PROCESS=95,DISTINCT_PROVIDERS=21,OUTGOING=37,INCOMING=58;" | makemv data delim=";" | mvexpand data | rename data as _raw | KV | table CREATION_DATE_TIME DISTINCT_PROVIDERS INCOMING OUTGOING TOTAL_PROCESS </CODE></PRE> <P>PS: Just to add here is the Splunk documentation for transitioning from SQL to SPL: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk</A></P> Wed, 31 Oct 2018 16:18:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456501#M56199 niketn 2018-10-31T16:18:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456502#M56200 <P>Hi Nilay, thanks for your quick response and the reference link form Sql to SPL.<BR /> My source data is in Oracle. please don't let my screenshot of the excel mis-guide you. I used that to only show how i want my final visualization to look like in Splunk.<BR /> The query is the one i am trying to translate into Splunk, so hard-coding the incomding, outgoing,, providers etc wont work. It has to be something that's generated dynamically.</P> Wed, 31 Oct 2018 17:46:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456502#M56200 mnikhil7692 2018-10-31T17:46:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456503#M56201 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/146667">@mnikhil7692</a> hardcoding was only to generate sample data as per your question as we will not have same data as your system. Please provide some sample events (mock/anonymize any sensitive information).</P> <P>Unless we know what your event looks like and what are your fields it will not be easy for us to assist, however, based on your query provided <STRONG>try the following and confirm</STRONG>:</P> <PRE><CODE> index="MyIndex" sourcetype="MySourceType" source="MySource" | eval _time=strptime(creation_date_time,"%m/%d/%Y") | timechart count(eval(FLAG=="O")) as Outbound count(eval(FLAG=="I")) as Inbound dc(provider_name) as Providers </CODE></PRE> <P>OR May be the following if you do not need Time as epoch time and your existing creation_date_time is in <CODE>MM/DD/YYYY</CODE> format:</P> <PRE><CODE> index="MyIndex" sourcetype="MySourceType" source="MySource" | chart count(eval(FLAG=="O")) as Outbound count(eval(FLAG=="I")) as Inbound dc(provider_name) as Providers by creation_date_time </CODE></PRE> <P>Following is the run anywhere example based on cooked up data as per my understanding of your data. Each event has creation_date_time in MM/DD/YYYY format. FLAG O and I denote Outbound and Inbound respectively and provider_name can repeat, where you want unique provider count. </P> <P><CODE>PS: Intention of run anywhere search is to demo the required output. Instead of commands from | makeresults till | KV, you will use your main search using index="MyIndex" sourcetype="MySourceType" source="MySource", as mentioned above.</CODE></P> <PRE><CODE>| makeresults | fields - _time | eval data="CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=O,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/24/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=X;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;CREATION_DATE_TIME=10/15/2018,FLAG=I,provider_name=Y;" | makemv data delim=";" | mvexpand data | rename data as _raw | KV | eval _time=strptime(CREATION_DATE_TIME,"%m/%d/%Y") | timechart count(eval(FLAG=="O")) as Outbound count(eval(FLAG=="I")) as Inbound dc(provider_name) as Providers </CODE></PRE> Tue, 29 Sep 2020 21:52:33 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456503#M56201 niketn 2020-09-29T21:52:33Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456504#M56202 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201110">@niketn</a> , thanks for your reply. I did find my solution ; it was hiding all along in plain sight. Some of my fields were in lowercase i.e. dc(provider_name) instead of dc(PROVIDER_NAME).<BR /> But all the info and the links you have provided is very useful, for someone who is starting off, like me. Cheers !</P> Tue, 29 Sep 2020 21:51:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456504#M56202 mnikhil7692 2020-09-29T21:51:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456505#M56203 <P>@mnikhil7692, did you get a chance to try out the answer?</P> Tue, 06 Nov 2018 04:46:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456505#M56203 niketn 2018-11-06T04:46:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456506#M56204 <P>Hi Niket, i did. i replied back on the post that i found the solution.<BR /> Thanks for all your help.</P> Tue, 06 Nov 2018 11:50:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-you-translate-SQL-into-Splunk/m-p/456506#M56204 mnikhil7692 2018-11-06T11:50:05Z