topic Re: Aggregate query help in Splunk Search

Aggregate query help

aag — Thu, 22 Jul 2021 20:38:12 GMT

Hi Team - I am trying to first search and then aggregate results from following Splunk logs:

Raw format:

"buildDimensionsAttributes:  $attribute: $constraint: $result"

sample message:

message: buildDimensionsAttributes: 6393: AttributeConstraints(-1.0,99.92,2,DoubleFormat): 99.98

Here in the AttributeConstraints

1st index corresponds to minval here -1.0

2nd index corresponds to maxval here 99.92

3rd index corresponds to decimal here 2

I want to first filter $results which are out of range, here 99.98 is not between [-1.0 , 99.92] and then

aggregate (group by) various $attribute and then

showcase something like below on the dashboard where we can apply our usual time filters.

Attribute# | RecrdCountofOutofRange | TotalRecords

Thanks

Re: Aggregate query help

venkatasri — Fri, 23 Jul 2021 02:09:17 GMT

Hi @aag

See if this helps!.

<your_Search_goes_here> | rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints$(?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?$:\s+(?<number>[\d\.]+)" | stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

Re: Aggregate query help

aag — Fri, 23 Jul 2021 22:36:39 GMT

Thanks much @venkatasri ; it worked beautifully !

As a next step would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Something like below:

Helpful image from query showcasing all attributes in same graph:

Thanks