Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit instance according to drop down value selected for date filter

aditsss
Motivator
‎09-14-2023 01:55 AM

Hi Team,

I have below query:

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully"|dedup EBNCStatus
| table EBNCStatus True

I am deduping my EBNC status so when I am selecting date Filter as yesterday its showing one count but when I am selecting 7 days from date filter still showing one count.

I want when I select 7 its should show 7 count . 

Can someone help me with this,

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 02:07 AM

Hi @aditsss,

sorry, but if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value!

Could you better describe your requirement?

Ciao.

Giuseppe

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 03:07 AM

@gcusello 

 

Currently when I am doing  dedup and selecting last 7 days its showing only event.

I want when I select last 7 days it should show 7 times that message.

when I select last 30 days it should 30 times that message.

Can you help me with this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 03:09 AM

Hi @aditsss,

as I said, if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value!

try to delete the dedup row and see what  happens.

You could try to dedup for the EBNCStatus field and another field (e.g. day), something like this:

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval 
   True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
   EBNCStatus="ebnc event balanced successfully",
   Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| table EBNCStatus True Day

Ciao.

Giuseppe

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 03:28 AM

@gcusello 

I have selected last 7 days 

but its showing only 2 with below query

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval
True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
EBNCStatus="ebnc event balanced successfully",
Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| table EBNCStatus True Day

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 05:10 AM

@gcusello 

 

Can you please guide me on this .

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 05:28 AM

@gcusello 

Apologies the query is working but I am getting one additional row .

My query:

search index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| table EBNCStatus True Day

 

aditsss_0-1694694520509.png

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 06:13 AM

Hi @aditsss ,

what's the name of the first column?

if it's "EBNCStatus", put the condition EBNCStatus=* at the end of the search.

Ciao.

Giuseppe

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 07:14 AM

@gcusello 

This query is not working for me

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| table EBNCStatus True Day

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 07:59 AM

Hi @aditsss,

if you don't want the last row with some empty fields, you have to remove empty lines.

You can do it knowing the name of the first column (that I don't know) and poning a rule (if the column is called "column1":

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 11:17 PM

Hi @aditsss,

if you don't want the last row with some empty fields, you have to remove empty lines.

You can do it knowing the name of the first column (that I don't know) and poning a rule (if the column is called "column1":

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval 
   True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
   EBNCStatus="ebnc event balanced successfully",
   Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day

there is an asterisk outside the quotes in the second eval.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 05:14 AM

Hi @aditsss,

did you try my last answer?

Ciao.

Giuseppe

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 05:17 AM

@gcusello 

yes but with that I am only getting two message 

I have selected last 7 days and I am getting only two.

I want if I select last 7 it should show 7 message 

when I select yesterday it should show 1 message.

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 09:29 AM

@gcusello 

I tried below query

index=abc sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day

Getting below error

Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")'.

0 Karma
Reply

aditsss
Motivator
‎09-14-2023 07:53 AM

@gcusello 

where I need to put this EBNCStatus=* 

Below is my query:

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| table EBNCStatus True Day

0 Karma
Reply

aditsss
Motivator
‎09-19-2023 03:28 AM

@gcusello 

I tried with below query still one extra row is coming

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day|search EBNCStatus=*
| table EBNCStatus True Day

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2023 03:38 AM

Hi @aditsss,

if you have an empty field using the table command means that you have incomplete data or that you have a space in that field.

anyway, you can remove them using a different search, e.g. if all the EBNCStatus values starts with "ebnc, you could use 

| search EBNCStatus="ebnc*"

Ciao.

Giuseppe

0 Karma
Reply

aditsss
Motivator
‎09-19-2023 05:39 AM

@gcusello 

Can you guide me with this query how can I use it

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day|search EBNCStatus=*
| table EBNCStatus True Day

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2023 06:01 AM

Hi @aditsss,

can you confirm that the values in the field EBNCStatus always starts with "ebnc"?

if yes, please try this:

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| search EBNCStatus="ebnc*"
| table EBNCStatus True Day

 Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...