Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Better format to log event so we could expand and then provide metrics

pavanml
Path Finder
‎04-22-2022 07:44 AM

Hi All. We have a need to log only one event in Splunk for each Case_ID.

However a single case can have multiple problems and solutions entered by the user in our Website. And based on event in Splunk we need to publish some metrics in the dashboard. Need suggestion for better way to log Problem solution combination in a single event for a case_id; which can help regenerate the table format within Splunk using query effectively to further populate the dashboard metrics shown in below screenshots. Please assist.

pavanml_0-1650638374212.png

pavanml_1-1650638470700.pngpavanml_2-1650638576435.png

 

Labels (2)
Labels
0 Karma
Reply

pavanml
Path Finder
‎04-27-2022 06:14 AM

Hi.. The first image pretty much explains about the data and the way we want to log the values for each case_id having multiple problems and solutions.
Looking for a format or structure to log pairwise combination of all the problems and its corresponding solutions w.r.t each case as one event, so that we can still unpack the table as shown in the second image. From which the dashboard metrics in the third image could be generated.
And as only onetime processing occur for each case we might not get multiple events on same case. Even though, we do maintain a date value as well in the event, so that the latest event can be considered in case of multiple events on same case.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2022 08:10 AM

Not sure what the ask is here.

Do you want to know how to parse your existing (proposed?) log format from the first graphic, in order to be able to generate the tables in the other graphics?

Or, do you want suggestions about the log format you might use (in place of the format in the first graphic)?

Also, if you are going to stick with the format in the first graphic, does your website generate a new event for each case when a new solution to an existing or new problem is identified for a case and therefore do your events have a timestamp so that only the latest event for each case can be considered?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...