Re: extracting events based on certain conditions

bhavneeshvohra · ‎08-13-2019

HI all,

I am stuck in a scenario which has multiple conditions and i am unable to resolve it. Kindly Help!!!

I have data as follows:-
vin, cid, violationstatus,
abc,45,45
def ,56,76

i want that if violationstatus<50 records 1-50 should be considered for dashboard generation
if violationstatus>50 records 50-100 should be considered for dashboard generation

HOw to do it please help.?

bhavneeshvohra · ‎08-13-2019

***edit*********

i want that if violationstatus is lessthan 50 records 1-50 should be considered for dashboard generation
i want that if violationstatus is greater than 50 records 50-100 should be considered for dashboard generation

jpolvino · ‎08-13-2019

If the condition violationstatus<50 then how do you know which records represent 1-50? Are they numbered or otherwise labeled?

Sukisen1981 · ‎08-13-2019

hi @bhavneeshvohra as @jpolvino says, this is a tricky one.
You can always have a search query as the first query without displaying it and calculate violationstatus into a token under tag
BUT
what is your first 50 rows? Is it the default 'latest first' way that splunk shows events or is the earliest event , event #1.
Once you provide us that, the rest can be done in the manner I suggested above

extracting events based on certain conditions

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM