topic Re: Appending Searched parsing output in Splunk Search

Appending Searched parsing output

Manasi25 — Tue, 25 Aug 2020 00:56:42 GMT

I m using append query multiple times for different searches for same index.

Its parsing my job. Please advise solution.

Re: Appending Searched parsing output

Nisha18789 — Tue, 25 Aug 2020 06:34:55 GMT

Hi @Manasi25 append is an expensive query in terms of search time. Could you please share details on what you are trying to achieve with your query.

Re: Appending Searched parsing output

thambisetty — Tue, 25 Aug 2020 07:23:23 GMT

can you specify index or sourcetype or source in append search? this will limit search to that particular index or sourcetype or source and performance will improve.

your sub search used in append :

search routingKey=routingCLBT_Infrastructure_Operations # this will return only one routingKey | top limit=50 routingKey # you will only get one result with 3 headers routingKey count percent and percent is 100% here since you have applied filter already and routingKey has only one at the moment. | stats sum(count) as count, avg(percent) as percent # it has no effect | eval routingKey="CLBT" # creating field and assigning static value.

I would suggest below search in append command:

Re: Appending Searched parsing output

Manasi25 — Wed, 26 Aug 2020 01:44:26 GMT

Hello, Thanks for help !

But , i have multiple routingKey's for one Output. So how can I modify this? Below is example which I have run for my report.I need addtotals for all with count and percent(avg) --Below results parsing my output. I have "IA- IJ" field values.

index=victorops
routingKey=routingA OR routingKey=routingB OR routingKey=routingKeyC OR routingKey=routingKeyD OR routingKey=routingE | top limit=50 routingKey

| stats sum(count) as count, avg(percent) as percent

| eval routingKey = "IA"

| append [ search routingKey=routingAA OR routingAB OR routingKey=routingAC OR routingKey=routingAD OR routingKey=routingAE | top limit=50 routingKey

| stats sum(count) as count, avg(percent) as percent

|eval routingKey = "IB" ]

| addcoltotals labelfield=routingKey label=Total

| table routingKey, count, percent

Re: Appending Searched parsing output

to4kawa — Wed, 26 Aug 2020 21:47:26 GMT

Re: Appending Searched parsing output

Manasi25 — Thu, 27 Aug 2020 02:09:45 GMT

Hello

These query gives the output all my routingKey in ascending order.

I need below --

Product Name Count Percent (avg)

IA 50 50%

IB 75 30%

IC 55 0.5%

ID 0 0%

Each product name has different routingKey.

Output should be -- i need avg for percent in TOTAL row.

Re: Appending Searched parsing output

to4kawa — Thu, 27 Aug 2020 10:54:22 GMT

@Manasi25

There is nothing about logs. what do you think making the query?

Re: Appending Searched parsing output

Manasi25 — Thu, 27 Aug 2020 11:42:24 GMT

index=victorops

routingKey=routingA OR routingKey=routingB OR routingKey=routingKeyC OR routingKey=routingKeyD OR routingKey=routingE | top limit=50 routingKey

| stats sum(count) as count, avg(percent) as percent

| eval routingKey = "IA"

| append [ search routingKey=routingAA OR routingAB OR routingKey=routingAC OR routingKey=routingAD OR routingKey=routingAE | top limit=50 routingKey

| stats sum(count) as count, avg(percent) as percent

|eval routingKey = "IB" ]

| addcoltotals labelfield=routingKey label=Total

| table routingKey, count, percent

Above resulted below --

Product Name Count Percent

IA 50 0.25

IB 40 30

Total 90 (Sum of routigKey) 15.125 (avg) ----I need this as average

But while running above query, its parsing my output. Plz advise

Re: Appending Searched parsing output

to4kawa — Thu, 27 Aug 2020 20:42:35 GMT

appendpipe is enough.

Re: Appending Searched parsing output

Manasi25 — Sun, 30 Aug 2020 03:20:28 GMT

Its parsing my output as I have number of routingKey to append.

Re: Appending Searched parsing output

Manasi25 — Tue, 08 Sep 2020 11:06:03 GMT

@richgalloway -

Below you which you given solution, parsing my output. Please advise.

Re: Appending Searched parsing output

Nisha18789 — Tue, 08 Sep 2020 22:11:57 GMT

Hi @Manasi25 , one question- why you need so many appends? Can you try something like below, it will be quick and I think gives the same output.

You have to include all the routing keys below, I have just added two sets and accordingly update the case statement as well.

index=victorops routingKey=routingA OR routingKey=routingB OR routingKey=routingKeyC OR routingKey=routingKeyD OR routingKey=routingE OR routingKey=routingAA OR routingAB OR routingKey=routingAC OR routingKey=routingAD OR routingKey=routingAE | eval routingKey=case(routingKey="routingA" OR routingKey="routingB" OR routingKey="routingKeyC" OR routingKey="routingKeyD" OR routingKey="routingE","IA",routingKey="routingAA" OR "routingAB" OR routingKey="routingAC" OR routingKey="routingAD" OR routingKey="routingAE","IB",1=1,"other") | top routingKey limit=0 | addcoltotals labelfield=routingKey label=Total

Re: Appending Searched parsing output

Manasi25 — Wed, 09 Sep 2020 12:09:29 GMT

Hello

Given query resulted below.

Re: Appending Searched parsing output

thambisetty — Wed, 09 Sep 2020 12:11:35 GMT

top routingkey=0 # this is wrong.

|top routingkey limit=0 # supposed to be.

check @Nisha18789 answer properly.