topic Re: How to do hierarchy query? in Splunk Search

How to do hierarchy query?

jojujose — Tue, 24 May 2016 19:37:40 GMT

For simplicity sake, my data definition looks like: (FileId,ObjectId,ParentObjectId)
My data sample may look like:
f1,o1,null
f1,o1,null
f1,o2,o1
f1,o3,o2
I am basically trying to see something like this in the o/p..
Max depth in hierarchy for the above data set will be 2 (since, o3->o2->o1)
Also, I am interested in looking at the depth across fileIds..like a group by of the above results over fileIds
Any help in this will be appreciated!

Re: How to do hierarchy query?

rafamss — Tue, 24 May 2016 21:57:50 GMT

Hi jojujose,

With base in your sample, I believe that you need use the transaction command for this. This command classify the start and end of each event.

Veja se isto ajuda: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

[]s
RM

Re: How to do hierarchy query?

sundareshr — Wed, 25 May 2016 00:23:23 GMT

Install the Splunk 6.x Dashboard Examples App and look at the Sankey Chart. Its a custom visualization for hierarchical data.