Dashboards & Visualizations

How to limit instance according to drop down value selected for date filter

aditsss
Motivator

Hi Team,

I have below query:

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully"|dedup EBNCStatus
| table EBNCStatus True

I am deduping my EBNC status so when I am selecting date Filter as yesterday its showing one count but when I am selecting 7 days from date filter still showing one count.

I want when I select 7 its should show 7 count . 

Can someone help me with this,

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

sorry, but if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value!

Could you better describe your requirement?

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

 

Currently when I am doing  dedup and selecting last 7 days its showing only event.

I want when I select last 7 days it should show 7 times that message.

when I select last 30 days it should 30 times that message.

Can you help me with this.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

as I said, if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value!

try to delete the dedup row and see what  happens.

You could try to dedup for the EBNCStatus field and another field (e.g. day), something like this:

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval 
   True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
   EBNCStatus="ebnc event balanced successfully",
   Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| table EBNCStatus True Day

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

I have selected last 7 days 

but its showing only 2 with below query

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval
True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
EBNCStatus="ebnc event balanced successfully",
Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| table EBNCStatus True Day

0 Karma

aditsss
Motivator

@gcusello 

 

Can you please guide me on this .

0 Karma

aditsss
Motivator

@gcusello 

Apologies the query is working but I am getting one additional row .

My query:

search index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| table EBNCStatus True Day

 

aditsss_0-1694694520509.png

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss ,

what's the name of the first column?

if it's "EBNCStatus", put the condition EBNCStatus=* at the end of the search.

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

This query is not working for me

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| table EBNCStatus True Day

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

if you don't want the last row with some empty fields, you have to remove empty lines.

You can do it knowing the name of the first column (that I don't know) and poning a rule (if the column is called "column1":

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

if you don't want the last row with some empty fields, you have to remove empty lines.

You can do it knowing the name of the first column (that I don't know) and poning a rule (if the column is called "column1":

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval 
   True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
   EBNCStatus="ebnc event balanced successfully",
   Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day

there is an asterisk outside the quotes in the second eval.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

did you try my last answer?

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

yes but with that I am only getting two message 

I have selected last 7 days and I am getting only two.

I want if I select last 7 it should show 7 message 

when I select yesterday it should show 1 message.

0 Karma

aditsss
Motivator

@gcusello 

I tried below query

index=abc sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| search column1=*
| table EBNCStatus True Day

Getting below error

Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")'.

0 Karma

aditsss
Motivator

@gcusello 

where I need to put this EBNCStatus=* 

Below is my query:

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| table EBNCStatus True Day

0 Karma

aditsss
Motivator

@gcusello 

I tried with below query still one extra row is coming

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day|search EBNCStatus=*
| table EBNCStatus True Day

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

if you have an empty field using the table command means that you have incomplete data or that you have a space in that field.

anyway, you can remove them using a different search, e.g. if all the EBNCStatus values starts with "ebnc, you could use 

| search EBNCStatus="ebnc*"

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

Can you guide me with this query how can I use it

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day|search EBNCStatus=*
| table EBNCStatus True Day

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

can you confirm that the values in the field EBNCStatus always starts with "ebnc"?

if yes, please try this:

index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| search EBNCStatus="ebnc*"
| table EBNCStatus True Day

 Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...