Dashboards & Visualizations

comparing values of same field for duplicate

ramyaashok
New Member

Hi,

I am creating a dashboard like below, and want to check for duplicates in a particular column.

table is how dashboard will look initially, and later if the file value will be "adcdefghi", I want the status to be changed to data collected.  could anyone help me with this. 

appfilestatus
oneabcdefghiwaiting for data
two jklmnopq

waiting for data

Labels (1)
0 Karma

t_shreya
Path Finder

Hi @ramyaashok 

I think you can use eventstats to calculate the number of occurrences of 'file' and then use eval to check if they are greater than 1 to set the status column as 'Data collected'. It would look something like this:

..| eventstats count as duplicates by file
| eval status = if(duplicates>1,"Data collected","waiting for data")
| table app, file, status

 

0 Karma

ramyaashok
New Member

Thanks Shreya, it worked.. 

had one more doubt as well. please have look if you could help.

job

time

file

status

one

10:50

abc

waiting

two

11:30

def

waiting

three

11:45

hij

Waiting

 

now, if there is a job four is going to have file name as "def", i dont want it to be added to next line. instead i want is like table 2 below. if file name is same, want the status to be changed to collected and also other values added to table horizontally. 

 

jobtimefilestatusjob2time2
one10:50abcwaiting  
two11:30defcollectedfour12:00
three11:45hijwaiting  
0 Karma

t_shreya
Path Finder

Hi @ramyaashok ,

I'm not sure how to create a table exactly in the way that you want.

But it is possible to create a table in the following format:

filestatusname_of_job1name_of_job2name_of_job_3name_of_job_4
abcwaitingtime_of_job1   
defcollected time_of_job2 time_of_job4
hijwaiting  time_of_job3 

 

by using the following query:

your_results| eventstats count as duplicates by file
| eval status = if(duplicates>1,"Data collected","waiting for data")
| table file, status
| join file
    [| search your_results
    | chart values(_time) over file by job limit=10]

you can increase/decrease the limit parameter to put a threshold on the number of columns to be shown.

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...