Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch different values from same logs

aditsss
Motivator
‎08-08-2023 12:36 PM

Hi All,

I have two raw logs and I want to fetch the value inside it:

2023-08-08 10:25:48.407 [INFO ] [Thread-3] CollateralProcessor - Statistic Cache loaded with stats for first run of Collateral Balancing with statisticData: StatisticData [selectedDataSet=0, rejectedDataSet=0, totalOutputRecords=0, totalInputRecords=0, fileSequenceNum=0, fileHeaderBusDt=null, busDt=08/06/2023, fileName=SETTLEMENT_TRANSFORM_COLLATERAL_LENDING, totalAchCurrOutstBalAmt=2.722379487286E10, totalAchBalLastStmtAmt=2.722379487286E10, totalClosingBal=2.722379487286E10, sourceName=null, version=0, associationStats={}]

2023-08-08 10:25:40.069 [INFO ] [Thread-3] CollateralProcessor - Statistic Cache loaded with stats for first run of Collateral Balancing with statisticData: StatisticData [selectedDataSet=0, rejectedDataSet=0, totalOutputRecords=0, totalInputRecords=0, fileSequenceNum=0, fileHeaderBusDt=null, busDt=08/06/2023, fileName=SETTLEMENT_TRANSFORM_COLLATERAL_CHARGE, totalAchCurrOutstBalAmt=4.81457540293E9, totalAchBalLastStmtAmt=4.81457540293E9, totalClosingBal=4.81457540293E9, sourceName=null, version=0, associationStats={}]

But the issue is I am not able to create separately its taking one only:

My query:

index="abc*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" "CollateralProcessor - Statistic Cache loaded with stats for first run of Collateral Balancing with statisticData: StatisticData"|rex " CollateralProcessor - Statistic Cache loaded with stats for first run of Collateral Balancing with statisticData: StatisticData busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>)"|table busDt fileName totalAchCurrOutstBalAmt|sort busDt

Result:

ResultPNG.PNG

I want to create separately for SETTLEMENT_TRANSFORM_COLLATERAL_LENDING and ETTLEMENT_TRANSFORM_COLLATERAL_CHARGE.

Please help.

 

Labels (2)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-08-2023 02:52 PM

What is it that you're wanting do to with those? ( SETTLEMENT_TRANSFORM_COLLATERAL_LENDING and ETTLEMENT_TRANSFORM_COLLATERAL_CHARGE.)

It sounds like you might be wanting to use | stats instead of table.

Something like

| stats values(busDt) AS busDt, sum(totalAchCurrOutstBalAmt) AS sumOftotalAchCurrOutstBalAmt by fileName
0 Karma
Reply

aditsss
Motivator
‎08-08-2023 06:25 PM

@livehybrid 

I want SETTLEMENT_TRANSFORM_COLLATERAL_LENDING complete data (complete row) in one panel and 

TTLEMENT_TRANSFORM_COLLATERAL_CHARGE in one panel complete data(complete row)

Currently it is coming one after the other as show in in screenshot.

0 Karma
Reply

aditsss
Motivator
‎08-09-2023 01:04 PM

@livehybrid 

Currently data is coming like this one for SETTLEMENT_TRANSFORM_COLLATERAL_LENDING and other for

SETTLEMENT_TRANSFORM_COLLATERAL_CHARGE :

busDt                    fileName                                                                                             totalAchCurrOutstBalAmt
08/01/2023      SETTLEMENT_TRANSFORM_COLLATERAL_LENDING       27428341042.73
08/01/2023       SETTLEMENT_TRANSFORM_COLLATERAL_CHARGE     4799455740.08
08/02/2023     SETTLEMENT_TRANSFORM_COLLATERAL_LENDING     27349645649.9
08/02/2023     SETTLEMENT_TRANSFORM_COLLATERAL_CHARGE     4820435720.81

I want data like this:

busDt                    fileName                                                                                             totalAchCurrOutstBalAmt
08/01/2023      SETTLEMENT_TRANSFORM_COLLATERAL_LENDING       27428341042.73

08/02/2023     SETTLEMENT_TRANSFORM_COLLATERAL_LENDING     27349645649.9

08/02/2023     SETTLEMENT_TRANSFORM_COLLATERAL_CHARGE     4820435720.81

08/01/2023       SETTLEMENT_TRANSFORM_COLLATERAL_CHARGE     4799455740.08

All lending data should come first then charge data 

I want to create separate panels for them.

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 01:05 AM

Hi

you must edit your dashboard code to add post-process searches into it. Here is link to instructions. https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches_2

Just use your current query as a base search and in panels you just add post-process search like 

| where fileName = "SETTLEMENT_TRANSFORM_COLLATERAL_LENDING"

and same on next panel. 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...