topic Re: Search by values in field in Splunk Search

Search by values in field

nivethainspire_ — Wed, 09 Dec 2020 14:03:28 GMT

In the below table, I was to search by field "Core Content" where "Core Content" should take top 2 highest value.

Core Content	Count	Status	Flag
4268	2223	N	Red
4267	1794	N	Yellow
4266	305	Y	Yellow
4265	90	Y	Red
4268	19	Y	Green
4263	63	N	Green
4262	133	Y	Red
4261	34	N	Red
4260	26	N	Yellow
	4768

The output I expect is,

Core Content	Count	Status	Flag
4268	2223	N	Red
4267	1794	N	Yellow
4268	19	Y	Green

All other rows I have to take as Outdated.

Re: Search by values in field

richgalloway — Wed, 09 Dec 2020 19:38:23 GMT

Would you please clarify the requirements? How is the sample input transformed into the sample output?

The text says "top 2 highest" but the example shows 3 results.

When measuring "highest" which column is to be used? It is the raw values in that column or a sum based on some other field?

Re: Search by values in field

nivethainspire_ — Thu, 10 Dec 2020 10:31:03 GMT

The Core Content has values ranging 4260 to 4268. I want show details of only top 2 Core Content that is 4268 and 4267. The core content updates often. Tomorrow it may take 4270.

So I want to query for a table where core content should search only top 2

Re: Search by values in field

richgalloway — Thu, 10 Dec 2020 13:33:31 GMT

Here's one way to do that.

your search | sort 2 - Count

Re: Search by values in field

nivethainspire_ — Tue, 15 Dec 2020 10:26:27 GMT

Basically I want to run the below query

Instead of explicitly hardcoding the values for "Core Content", I want them to take the top 2 values of "Core Content"

Re: Search by values in field

richgalloway — Tue, 15 Dec 2020 13:18:44 GMT

Try this query. The main difference is the use of single quotes. In Splunk, double quotes denote a string while single quote denote a field name.

index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*" ("Core Content"="4283.0" OR "Core Content"="4286.0") | fillnull value="00" Com | fillnull value="" | sort 2 - 'Core Content'

Re: Search by values in field

nivethainspire_ — Wed, 16 Dec 2020 07:58:29 GMT

Not working for me.

index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*" | fillnull value="00" Com | fillnull value="" |timechart span=1d count("Core Content") by "Core Content"|sort 2 - "Core Content"

Its not sorting, I get the below output,

_time	5276	5279	4280	4284	4285	5286	5287	OTHER
12/15/2020	26	20	26	91	28	1641	2681	149
12/16/2020	0	0	0	0	0	0	0	0

But I want to get as below,

_time	5286	5287
12/15/2020	1641	2681
12/16/2020	0	0

Re: Search by values in field

richgalloway — Wed, 16 Dec 2020 13:58:24 GMT

It didn't work because you used a different query. timechart is a transforming command so you no longer have a "Core Content" field on which to sort.

I don't know how to achieve the results you desire. Sorry.

Re: Search by values in field

scelikok — Wed, 16 Dec 2020 18:14:46 GMT

@nivethainspire_, you can use below query,