Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter Data

pglover12
New Member
‎03-13-2021 02:37 PM

I have a large list of data.  I want to only see lines that include certain words.  ie would be: Restart.  I want to see all mins that are spent to restart a product.  I want to create categories for certain words sum the the mins and have it in a pie chart.  So the line item may say...restarted>RESTARTED>re started> etc.  I want to captured the information in one section of the pie.  I can do a google hangout if anyone would like to work with me on this.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-13-2021 11:15 PM

HI @pglover12,

you have to identify the words to use for data classification and use them, e.g.:

error: error, panic, critical

authentication: login, logout, logfail

etc...

your-search
| eval type=case(searchmatch("error","error", searchmatch("panic","error", searchmatch("critical","error", searchmatch("login","authentication", searchmatch("logout","authentication",searchmatch("logfail","authentication")
| stats count BY type

use this search as an approach for your searches.

Ciao.

Giuseppe

0 Karma
Reply

tscroggins
Champion
‎03-13-2021 03:00 PM

@pglover12 

If you events do not include a duration, you'll need to calculate one from a start and end event. For example:

Mar 13 00:23:00 host1 food: Restarted.
Mar 13 00:15:00 host1 food: Restarting...

where host=host1 and process=food.

host=* process=* Restarting Restarted
| transaction host process startswith=Restarting endswith=Restarted
| eval duration_mins=duration / 60
| eval category=host.":".process
| stats sum(duration_mins) by category

You can include multiple variations on start and end indicators.

The transaction command doesn't necessarily scale well, but a more detailed example of your source data would be required to provide a more scalable solution.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...