Hello all,
So, I am having the following information forwarded to splunk as sourcetype as below (with more than 15000 similar lines):
2021-Jan-14 09:07 2 servername2 instance1 2021-Jan-14 09:07:25.393 [transaction_string1] 79897 67163 OK 1 [269661] 97 28 OK
I don't have any kind of header of this text file that is forwarded to splunk but I do know how to create one using the Fields options - that won't be an issue.
I need to create a report that has the following specs:
1. Rows:
"Scored" - a rangemap for the value which is represented in the text file as 97 (after [269661])
range map should be:
- 0s-to-0.05s=1-50
- 0.05s-to-0.10s=51-100
- 0.10s-to-0.15s=101-150
- 0.15s-to-0.20s=151-200
- 0.20s-to-0.30s=201-300
- 0.30s-to-0.50s=301-500
- 0.50s-to-1s=501-1000
- 1s-to-2s=1001-2000
- 2s-to-3s=2001-3000
- 3s-to-5s=3001-5000
- 5s-to-30s=5001-30000
- >30s=30001-99999
2. Columns:
- All: a sum(count) for each range present - if there are no records for a specific range, then 0 should be shown as a total.
- servername (alphabetically sorted) with instanceId (there are 2: 1 and 2 for each servername) - each one getting the count value for each range value in "Scored" mentioned above ---- if there are is 0 as count for a specific range on the servername and instanceid, then 0 should be shown for each servername and instanceid.
Now, by the looks of it, this can be achieved using a pivot.
So far, this is what I could've come up with:
The output I need should be similar to one below:
Can anyone help me out on how to build up a search query to actually have the desired output?
Thanks!
