topic Re: extracting events based on certain conditions in Splunk Search

extracting events based on certain conditions

bhavneeshvohra — Tue, 13 Aug 2019 07:34:23 GMT

HI all,

I am stuck in a scenario which has multiple conditions and i am unable to resolve it. Kindly Help!!!

I have data as follows:-
vin, cid, violationstatus,
abc,45,45
def ,56,76

i want that if violationstatus<50 records 1-50 should be considered for dashboard generation
if violationstatus>50 records 50-100 should be considered for dashboard generation

HOw to do it please help.?

Re: extracting events based on certain conditions

bhavneeshvohra — Tue, 13 Aug 2019 07:35:46 GMT

***edit*********

i want that if violationstatus is lessthan 50 records 1-50 should be considered for dashboard generation
i want that if violationstatus is greater than 50 records 50-100 should be considered for dashboard generation

Re: extracting events based on certain conditions

jpolvino — Tue, 13 Aug 2019 12:11:23 GMT

If the condition violationstatus<50 then how do you know which records represent 1-50? Are they numbered or otherwise labeled?

Re: extracting events based on certain conditions

Sukisen1981 — Tue, 13 Aug 2019 16:33:49 GMT

hi @bhavneeshvohra as @jpolvino says, this is a tricky one.
You can always have a search query as the first query without displaying it and calculate violationstatus into a token under tag
BUT
what is your first 50 rows? Is it the default 'latest first' way that splunk shows events or is the earliest event , event #1.
Once you provide us that, the rest can be done in the manner I suggested above