Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to store Multi Value Field with its sum of number of occurrence in the 4m span of time

santosh121
Explorer
‎05-22-2021 04:31 AM

Dear All,

 

 I am trying to store some aggregated values so that my query will perform better way when searching time is of 6-8 months.

 

Use case:

_time                                                       Environment       BG         ApplicationName      Interface    ErrorType

22-05-2021 01:12:33                             E                          B                          K                            Z                  TimeOut

22-05-2021 01:13:33                             E                          B                          K                            Z              HttpConnectivityErr

22-05-2021 01:14:33                             E                          B                          K                            Z                  TimeOut

22-05-2021 01:15:33                             E                          B                          K                            Z             HttpConnectivityErr

22-05-2021 01:16:33                             E                          B                          K                            Z                  TimeOut

22-05-2021 01:17:33                             E                          B                          K                            Z              HttpConnectivityErr

22-05-2021 01:18:33                             E                          B                          K                            Z              HttpConnectivityErr

22-05-2021 01:19:33                             E                          B                          K                            Z              HttpConnectivityErr

Expected Output:

bin span 4m  _time

 

_time                                            Environment       BG         ApplicationName      Interface        ErrorType(multiValue)

22-05-2021 01:12:33                   E                          B                          K                            Z                     TimeOut_2

                                                                                                                                                                               HttpConnectivityErr_2

22-05-2021 01:16:33                   E                          B                          K                            Z                      TimeOut_1

                                                                                                                                                                               HttpConnectivityErr_3

 

What i want is for a span of 4 min i need unique  "ErrorType" column along with its count group by Environment,BG,ApplicationName,Interface.

Please help me out with it.

 

Regards,

Santosh

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

santosh121
Explorer
‎05-23-2021 09:39 PM

Thanks for the reply. I will test from my side today and update you on that.

Regards,

Santosh

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2021 09:43 AM 
| makeresults
| eval _raw="time,Environment,BG,ApplicationName,Interface,ErrorType
22-05-2021 01:12:33,E,B,K,Z,TimeOut
22-05-2021 01:13:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:14:33,E,B,K,Z,TimeOut
22-05-2021 01:15:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:16:33,E,B,K,Z,TimeOut
22-05-2021 01:17:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:18:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:19:33,E,B,K,Z,HttpConnectivityErr"
| multikv forceheader=1
| fields - _* linecount 
| eval _time=strptime(time,"%d-%m-%Y %H:%M:%S")
| bin _time span=4m
| stats count by _time Environment BG ApplicationName Interface ErrorType
| eval ErrorType=ErrorType."_".count
| stats values(ErrorType) as ErrorType by _time Environment BG ApplicationName Interface
0 Karma
Reply
Solved! Jump to solution
Solution

santosh121
Explorer
‎05-23-2021 09:39 PM

Thanks for the reply. I will test from my side today and update you on that.

Regards,

Santosh

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...