Re: Filter Data

pglover12 · ‎03-13-2021

I have a large list of data. I want to only see lines that include certain words. ie would be: Restart. I want to see all mins that are spent to restart a product. I want to create categories for certain words sum the the mins and have it in a pie chart. So the line item may say...restarted>RESTARTED>re started> etc. I want to captured the information in one section of the pie. I can do a google hangout if anyone would like to work with me on this.

gcusello · ‎03-13-2021

HI @pglover12,

you have to identify the words to use for data classification and use them, e.g.:

error: error, panic, critical

authentication: login, logout, logfail

etc...

your-search
| eval type=case(searchmatch("error","error", searchmatch("panic","error", searchmatch("critical","error", searchmatch("login","authentication", searchmatch("logout","authentication",searchmatch("logfail","authentication")
| stats count BY type

use this search as an approach for your searches.

Ciao.

Giuseppe

tscroggins · ‎03-13-2021

@pglover12

If you events do not include a duration, you'll need to calculate one from a start and end event. For example:

Mar 13 00:23:00 host1 food: Restarted.
Mar 13 00:15:00 host1 food: Restarting...

where host=host1 and process=food.

host=* process=* Restarting Restarted
| transaction host process startswith=Restarting endswith=Restarted
| eval duration_mins=duration / 60
| eval category=host.":".process
| stats sum(duration_mins) by category

You can include multiple variations on start and end indicators.

The transaction command doesn't necessarily scale well, but a more detailed example of your source data would be required to provide a more scalable solution.

Filter Data

chart

other

panel

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!