Dashboards & Visualizations

Lowest single value from multiple fields

Path Finder

Dear experts!
I have a sourcetype that contains fields like this:
domainfield1=5
domain
field2=5
domainfield3=4
domain
field4=3

And I want to display the lowest number available. To make it more complicated, the number of fields can differ, but they will always be prefixed with "domain_"

So in the example above the value for the search would be "3".

Is this possible?

0 Karma
1 Solution

Path Finder

Need to declare the field first first:

... | eval laggingdomains=0 | foreach domain_* [|eval laggingdomains=laggingdomains + (5 - '<<FIELD>>')] | table laggingdomains

View solution in original post

Path Finder

Need to declare the field first first:

... | eval laggingdomains=0 | foreach domain_* [|eval laggingdomains=laggingdomains + (5 - '<<FIELD>>')] | table laggingdomains

View solution in original post

Super Champion

try this:

...|foreach domain_* [|eval domain_all=min('<<FIELD>>')]

the foreach statement will grab any field beginning with domain_ and eval the minimum value for all fields. https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Foreach

0 Karma

Path Finder

I tried this one:

... | foreach domain_* [|eval laggingdomains=laggingdomains + (5 - '<>')] | table laggingdomains

That should give me the amount of domains missing (every count below 5 is one missing domain).

However, the table only contains NULL events. Any idea what I'm doing wrong?

0 Karma

Super Champion

when i ran this:

|makeresults | eval domain_field1=5| eval domain_field2=5| eval domain_field3=4| eval domain_field4=3|foreach domain_* [|eval domain_all=min('<<FIELD>>')]

domainall came back with 3.
can i see the query before you run the foreach command? are you doing a `|stats latest(domain
) as domain_` first since you only want the most recent results?

0 Karma

Path Finder

Here's the final query that I used:

| eval laggingdomains=0 | foreach domain* [|eval laggingdomains=laggingdomains + (5 - '<>')] | sort -time | table laggingdomains | head 1

Each domain that is lagging behind will increment the counter by 1.

/Patrik

0 Karma

Path Finder

Thank you for your help. It was invaluable. 🙂

0 Karma

Path Finder

Thank you! I tried this, but the result was still 5. Want to clarify that I need to evaluate only for the latest event. Did not know that foreach was possible, will check that out.

0 Karma