topic Re: SPL-Search based on mutiple values in Splunk Search

SPL-Search based on mutiple values

srs20 — Wed, 30 Sep 2020 01:01:50 GMT

Hello,

i'm searching for a certain condition and wrote the query below .It works but not quite what I'm looking for

index="xyz" earliest=-18h (pidId=1 OR pidId=2 ) | stats count(eval(value>22)) AS count_status BY pidId | where count_status>=3

What I'm looking for is
pidId=1 and value >22 and occurs 3 or more times in 18 hours
AND
pidId=2 and value >37 and occurs 3 or more times in 18 hours

How can I do this?
Thanks,

Re: SPL-Search based on mutiple values

richgalloway — Sun, 23 Jun 2019 17:48:18 GMT

If I understand what you're looking for, this may help.

index="xyz" earliest=-18h (pidId=1 OR pidId=2 ) 
| stats count(eval(value>22)) AS count22, count(eval(value>37)) as count37 BY pidId
| where (pidId=1 AND count22>=3) OR (pidId=2 AND count37>=3)

Re: SPL-Search based on mutiple values

sumanssah — Sun, 23 Jun 2019 17:51:05 GMT

Try this

index="xyz" ((pidId=1 AND value >22) OR (pidId=2 AND value >37))
| stats dc(value) as dc_value by pidId
| where dc_value > 3

Re: SPL-Search based on mutiple values

woodcock — Sun, 23 Jun 2019 23:09:22 GMT

Like this:

index="xyz" earliest=-18h (pidId=1 OR pidId=2 )
| stats count(eval(value>22)) AS count22plus count(eval(value>33)) AS count33plus BY pidId
| where (pidId==1 AND count22plus>=3) OR (pidId==2 AND count33plus>=3)

Re: SPL-Search based on mutiple values

srs20 — Mon, 24 Jun 2019 01:30:26 GMT

Thanks for the response.This returns null values for the first eval command and correct values for the second stats eval ..so in this case count22 is null and count37 is null. If I change the sequence i.e.

| stats count(eval(value>37)) as count37 count(eval(value>22)) AS count22 BY pidId

The command above gets the value of count22 but not count37. So,it always the second eval returnign results but never the first

Re: SPL-Search based on mutiple values

srs20 — Mon, 24 Jun 2019 01:31:00 GMT

Thanks for the response.This returns null values for the first eval command and correct values for the second stats eval ..so in this case count22plus is null and count37plus is null. If I change the sequence i.e.

| stats count(eval(value>37)) as count37plus count(eval(value>22)) AS count22plus BY pidId

The command above gets the value of count22 but not count37. So,it always the second eval returning results but never the first

Re: SPL-Search based on mutiple values

srs20 — Mon, 24 Jun 2019 01:32:29 GMT

Thanks,this returns results. Will need more time to validate.

Re: SPL-Search based on mutiple values

woodcock — Sun, 14 Jul 2019 18:31:35 GMT

That is because it is never true (there are none to count)!