Splunk Search

Eventtype or macros - Need Suggestion

himpor
Engager

Hi Everyone,

I need a suggestion to build the Splunk app or query .

The situation is

  1. I had list of cities (lets say around 1800 odd cities) ( source type lets say india)
  2. The cities are classified in multiple groups in separate CSV which will be used for lookup
    • statewise (i.e. cities clubed according to region) around 28 files ( lets say punjab.csv which has list of all cities of punjab)
    • region wise ( east, west, north , south etc.) i.e. list of cities clubbed together as region

I need to perform queries to identify patterns for statewise, regionwise which requires the filtering of larger set i.e. india data in smaller subset i.e. region or state

is it advisable to create the eventtype for each state like punjab, haryana etc. and north, south etc. or
use the macro to filter the events.

to achieve performance, or possibility of creating datamodels if required.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Because the taxonomy never changes (or at least very rarely), I would use eventtypes with specific structure (prefixes or suffixes, e.g. *.Region, *.City, *.State, etc.). Then you can say things like:

eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Because the taxonomy never changes (or at least very rarely), I would use eventtypes with specific structure (prefixes or suffixes, e.g. *.Region, *.City, *.State, etc.). Then you can say things like:

eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"
0 Karma

woodcock
Esteemed Legend

Actually, this same approach would probably best be done with tags.

0 Karma

himpor
Engager

yes , i agree tags will be better option.

As eventtypes can't be created with queries with pipes and subsearches.

0 Karma

himpor
Engager

Thanks.

the requirement is like this

  1. I had details of city data which has following information
  • cityname
  • population
  • men
  • women
  • numberofschools
  • numberofengcollege
  • numberofmedicalcollege
  1. details of state which has city data example like "state rajasthan" i.e. rajasthan.csv (There are around 28 different state)
  • cityname
  • area_in_sq_km
  • primary_occupation(tourism,agri etc.)
  1. Details of region
  • region_name
  • statename
  • type_region (plain, hill etc.)

Now i need to analyse the city data and do some analysis to represent in the form of statewise or regionwise statistics.

please suggest is it advisable to create the eventtypes for state or pass details of cities as macro.

but eventtype cant be created with pipe and subsearch.

Requesting views how to best use available features

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

I suggest you create a lookup and use that to enrich your events, I don't see the additional need to create an eventtype or macro

Assuming your lookup looks like the following,

city_name, state, region

You can then do a search such as

stats count by region

or

stats values(city_name) by state

to find all the cities in a particular state.

Using different commands with stats should provide you additional information

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...