Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to pick the time range for different source file

deepthi5
Path Finder
‎07-08-2015 05:47 AM

Hello ,

I have got an urgent requirement pls help me

I am different countries data pulled and indexed into SPLUNK daily
ex,Australia.csv,Budapest .csv,germany.csv etc for which i am generating 95th percentile values

Now the requirement is i should be able to generate 95th percentile only from Monday to Friday and only in working hours of that particular country which seems to be difficult

Right now i havve got an idea using the following query :

source="C:\germany.csv" host="SEZ00VVM-153" sourcetype="csv" date_wday!=saturday AND date_wday!=sunday date_hour>=9 date_hour<= 17 | eval Intraffic=IN/1048576 |timechart span=1h perc95(Intraffic) AS 95thPercentile

but when multiple files are indexing how should i tell splunk that working hours of germany is 9 to 5 and budapest is 10 to 4 etcc

thanks ,
Deepthi

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2015 05:55 AM

You could create a lookup file that contains country name and working hours. For example, the file might contain

Country, start_hour, end_hour
germany, 9, 17
budapest, 10, 16

Then your query becomes

source="C:germany.csv" host="SEZ00VVM-153" sourcetype="csv" date_wday!=saturday AND date_wday!=sunday | lookup Country OUTPUT start_hour end_hour | where date_hour>=start_hour AND date_hour<= end_hour | eval Intraffic=IN/1048576 |timechart span=1h perc95(Intraffic) AS 95thPercentile
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2015 05:55 AM

You could create a lookup file that contains country name and working hours. For example, the file might contain

Country, start_hour, end_hour
germany, 9, 17
budapest, 10, 16

Then your query becomes

source="C:germany.csv" host="SEZ00VVM-153" sourcetype="csv" date_wday!=saturday AND date_wday!=sunday | lookup Country OUTPUT start_hour end_hour | where date_hour>=start_hour AND date_hour<= end_hour | eval Intraffic=IN/1048576 |timechart span=1h perc95(Intraffic) AS 95thPercentile
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

deepthi5
Path Finder
‎07-09-2015 03:24 AM

hey

thanks for the answer but that is not working should i specify germany in the place of country or it automatically picks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2015 04:51 AM

You will need to populate a field called 'Country' with the name of the country in question. Or you could replace 'Country' with another field from your query that contains the country name.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!