topic Re: Using input file but only want select results returned in Splunk Search

Using input file but only want select results returned

bullbasin — Wed, 27 Mar 2024 20:43:24 GMT

I have a dashboard where I have 4 multi select boxes and a input file with all possible results for each app. When there are no results for an app it is sent as a 100%. Problem is that the results have all apps and ignore the multi-select because of the input file. Below is the code....

data.environment.application	data.environment.environment	data.environment.stack	data.componentId
app1	prod	AZ	Acomp
app1	prod	AZ	Bcomp
app2	uat	AW	Zcomp
app2	uat	AW	Ycomp
app2	uat	AW	Xcomp
app3	prod	GC	Mcomp

index=MINE data.environment.application="app2" data.environment.environment="uat" | eval estack="AW" | fillnull value="uat" estack data.environment.stack | where 'data.environment.stack'=estack | streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId | eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False") | transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m | stats sum(duration) as downtime by data.componentId | inputlookup append=true all_env_component.csv | fillnull value=0 | addinfo | eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0) | rename data.componentId AS Component, avail AS Availability | fillnull value=100 Availability | dedup Component | table Component, Availability

Thank you in advance for the help.

Re: Using input file but only want select results returned

yuanliu — Thu, 28 Mar 2024 04:10:38 GMT

I cannot get a sense of this question.

What is that data table at the beginning of this post supposed to be?
Right before inputlookup, you have a stats command that reduces data fields to downtime and data.componentId. I assume that everything above inputlook is working as expected. If this is the case, please just post sample/mock values of downtime and data.componentId and ignore anything about app and input selection. (See below.)
What fields (columns) are in this all_env_component.csv file? And how is this file useful to what you wanted in the end?
What exact is it that you wanted in the end? By this, I mean what does "4 multi select boxes" have to do with this question? Your search does not use a single token. This means that none of these selections should have any effect of results.

In short, you need to post data input - you can post just sample/mock values downtime- data.componentId pairs; explain what is in that lookup file, provide some sample/mock values. Then, explain what you are trying to do after that inputlookup, illustrate what your expected results look like from the sample/mock input values, and the logic between the input and desired results.

These are the basis of an answerable question in a forum about data analytics.

Re: Using input file but only want select results returned

bullbasin — Thu, 28 Mar 2024 09:40:39 GMT

Here are the answers to your questions....

1. It is the input file for the apps,

all_env_component.csv

2. Yes it works correctly.

data.componentId	downtime
Ycomp	322.186934
Zcomp	300.23822
Xcomp	645.415504

3. The fields are,

data.environment.application

data.environment.environment

data.environment.stack

data.componentId

4. This is an availability dashboard. The initial problemwas aby data.componentId that had 0 downtime would not show in the results, NULL. This was fixed by adding an input file but then it was showing all the data.componentId and downtime. The desired result is to just display only the data.componentId and downtime for the single data.environment.application choosen in the drop down. Below is the original query that would not display anything with 100% uptime.

index=MINE data.environment.application="app2" data.environment.environment="uat"
| eval estack="AW"
| fillnull value="uat" estack data.environment.stack
| where 'data.environment.stack'=estack
| streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId
| eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False")
| transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m
| stats sum(duration) as downtime by data.componentId
| addinfo
| eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0)
| rename data.componentId AS Component, avail AS Availability
| table Component, Availability

Re: Using input file but only want select results returned

bullbasin — Mon, 01 Apr 2024 09:09:11 GMT

Let me know if anything else is needed

Re: Using input file but only want select results returned

bullbasin — Tue, 02 Apr 2024 11:43:52 GMT

any further input after answering your questions?