Archive

Eventtype or macros - Need Suggestion

New Member

Hi Everyone,

I need a suggestion to build the Splunk app or query .

The situation is

  1. I had list of cities (lets say around 1800 odd cities) ( source type lets say india)
  2. The cities are classified in multiple groups in separate CSV which will be used for lookup
    • statewise (i.e. cities clubed according to region) around 28 files ( lets say punjab.csv which has list of all cities of punjab)
    • region wise ( east, west, north , south etc.) i.e. list of cities clubbed together as region

I need to perform queries to identify patterns for statewise, regionwise which requires the filtering of larger set i.e. india data in smaller subset i.e. region or state

is it advisable to create the eventtype for each state like punjab, haryana etc. and north, south etc. or
use the macro to filter the events.

to achieve performance, or possibility of creating datamodels if required.

Tags (1)
0 Karma
1 Solution

Esteemed Legend

Because the taxonomy never changes (or at least very rarely), I would use eventtypes with specific structure (prefixes or suffixes, e.g. *.Region, *.City, *.State, etc.). Then you can say things like:

eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"

View solution in original post

0 Karma

Esteemed Legend

Because the taxonomy never changes (or at least very rarely), I would use eventtypes with specific structure (prefixes or suffixes, e.g. *.Region, *.City, *.State, etc.). Then you can say things like:

eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"

View solution in original post

0 Karma

Esteemed Legend

Actually, this same approach would probably best be done with tags.

0 Karma

New Member

yes , i agree tags will be better option.

As eventtypes can't be created with queries with pipes and subsearches.

0 Karma

New Member

Thanks.

the requirement is like this

  1. I had details of city data which has following information
  • cityname
  • population
  • men
  • women
  • numberofschools
  • numberofengcollege
  • numberofmedicalcollege
  1. details of state which has city data example like "state rajasthan" i.e. rajasthan.csv (There are around 28 different state)
  • cityname
  • area_in_sq_km
  • primary_occupation(tourism,agri etc.)
  1. Details of region
  • region_name
  • statename
  • type_region (plain, hill etc.)

Now i need to analyse the city data and do some analysis to represent in the form of statewise or regionwise statistics.

please suggest is it advisable to create the eventtypes for state or pass details of cities as macro.

but eventtype cant be created with pipe and subsearch.

Requesting views how to best use available features

0 Karma

Splunk Employee
Splunk Employee

I suggest you create a lookup and use that to enrich your events, I don't see the additional need to create an eventtype or macro

Assuming your lookup looks like the following,

city_name, state, region

You can then do a search such as

stats count by region

or

stats values(city_name) by state

to find all the cities in a particular state.

Using different commands with stats should provide you additional information

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!