topic Re: How to give threshold values dynamically in the search query in Splunk Search

How to give threshold values dynamically in the search query

deepthi5 — Tue, 29 Sep 2020 07:06:08 GMT

Hi Team,

I have got different sites seperated according to the tiers having different threshold values
Ex

Mumbai-Tier1

Cebu Tier2
Gurgoan tier2

Hyderabad Tier 3

Tier threshold valu=70%
Tier threshold value=80%
Tier 3 threshold valu=90%

Right now i have a combo box from whihc i can select a tier and my chart will display graphs for sites in that tier
but now i want how many sites network consumption is excedding particaular threshold how can i change according to the tier selected

Here is search query where i want to change my threshold according to the tier slected in the combo box

source="C:\Network Analysis\tier1\rusxwalmartedc S0-0-0.csv" OR source="C:\Network Analysis\tier1\rdinmumbai010-7-1 S2-0.csv" OR source="C:\Network Analysis\tier1\rdgbreddit010-1-2 Gig0-2.csv" OR source="C:\Network Analysis\tier2\rdingurgao010-5-1 f0-1.csv" OR source="C:\Network Analysis\tier3\rdinsecund010-5-2 Gig0-0.csv" OR source="C:\Network Analysis\tier2\rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9|where result>seventyperc*|stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

Re: How to give threshold values dynamically in the search query

gcato — Mon, 24 Aug 2015 02:44:55 GMT

Hi deepthi5,

I believe what you're looking for is the ability to define new tokens based on the conditional input choices. The Splunk documentation has a good example here:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/PanelreferenceforSimplifiedXML#condition_.28input.29

Here's a run anywhere example also...

<form>
  <label>Language</label>
  <fieldset submitButton="false">
    <input type="radio" token="myChoice" searchWhenChanged="true">
      <label>Language Choice</label>
      <choice value="lang1">English</choice>
      <choice value="lang2">Spanish</choice>
      <choice value="lang3">French</choice>
      <change>
        <condition label="English">
          <set token="myConditionalChoice">"Hello, world"</set>
          <set token="mylang">English</set>
        </condition>
        <condition label="Spanish">
          <set token="myConditionalChoice">"Hola mundo"</set>
          <set token="mylang">Espagnol</set>
        </condition>
        <condition value="lang3">
          <set token="myConditionalChoice">"Bonjour le monde"</set>
          <set token="mylang">Français</set>
        </condition>
      </change>
      <default>lang1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
          | stats count |eval greeting=$myConditionalChoice|s$ | eval out = "$mylang$" . ": " . greeting | fields out
         </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

Hopefully, you'll be able use these example to modify your search form to match your needs.

Re: How to give threshold values dynamically in the search query

woodcock — Thu, 27 Aug 2015 13:35:30 GMT

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

Re: How to give threshold values dynamically in the search query

deepthi5 — Tue, 01 Sep 2015 06:37:31 GMT

that worked thank u so much ...