Customized Query: How to combine 2 queries?

vishwa · ‎11-19-2022

Hi All, I am trying to combine 2 queries to get the result, i am getting the result, but not as expected.

Query1:

index=app-map-idx shname=niht_map_*
| append [| inputlookup customerdata.csv
|addinfo
| where _time>=info_min_time AND _time<=info_max_time
|fields - info*
|eval done=1, shname=device."_name", source=device."_name"]
|table _time sys operation web pass fail fvb quantity done shname
|eventstats sum(done) as done by shname sys
|bucket _time span=w
|stats sum(*) as * values(done) as done dc(web) as webb by _time shname sys operation
|appendpipe [| search sys="wi lapcdmb" operation="login page" OR operation="app page" OR operation="userpage" OR operation="custpage"]
|foreach pass fail fvb quantity [|eval <<FIELD>>=<<FILED>>*0.09]
|eval sys="pim"]
| eval "pass percentage"=pass/quantity*100
|eval iel=fail/quantity*100
|fillnull fvb value=0
|rename pass as Pass, fail as Fail, sys as Sys, fvb as Fvb, quantity as Quantity, operation as Operation, webb as Webb
|lookup application.csv Sys OUTPUT App mtr
|search mtr=given
|table _time pass percentage iel App Sys Operation Webb Pass Fail Quantity Fvb
|sort 0 Sys

Output:

_time	App	Sys	Operation	Webb	Pass	Fail	Quantity	Fvb	pass percentage	iel
2022-11-10	Custom	Customer sys	sigin app - customer	1	20	0	20	1	100	0
2022-11-10	Cli app	CA	sigin app - application	2	30	10	40	10	99	0.01
2022-11-10	sigin app	SG	sigin app - client	2	10	1	11	1	100	0
2022-11-10	user app	UA	sigin app - app1	1	60	0	60	16	80	0.05
2022-11-10	user app	UA	sigin app - app2	4	50	0	50	0	20	0.9
2022-11-10	user app	UA	sigin app - app3	5	100	9	109	0	0	0
2022-11-10	user app	UA	sigin app - app4	8	21	0	21	0	0	0
2022-11-10	user app	UA	sigin app - app5	9	23	0	23	0	0	0
2022-11-10	suzk app	SA	sigin app - app6	2	16	8	24	1	99	0
2022-11-10	qualis app	QA	sigin app - app7	1	100	10	110	8	10	0
2022-11-10	benz app	BA	sigin app - app8	2	500	11	511	6	20	0
2022-11-10	client app	CA	sigin app - app1	4	200	0	200	4	100	0
2022-11-10	client app	CA	sigin app - app2	1	800	1	801	1	100	0.11
2022-11-10	client app	CA	sigin app - app3	3	220	1	221	0	90	0.22
2022-11-10	client app	CA	sigin app - app4	2	1000	11	1011	0	99	0.45
2022-11-10	client app	CA	sigin app - app5	1	1089	12	2178	9	99	0.56

Query2:
index=blrm-app-idx sourcetype=blrm_appl "QA: ab" OR "QA: cd" OR "QA: ef" OR "QA: gh" (procedure=POST web="/cate/surface*") OR (procedure=GET web="/choc/plain/otp*") OR (procedure=POST web="/may/duration") OR (procedure=GET web="/year/days") OR web="/nam/power/error") OR web="/move/cloud") OR web="/mont/days
NOT [|inputlookup angryer.csv
|rename PI as result
|fields result]
| eval type=case((faildigit=978 OR faildigit=435 OR faildigit=543 OR faildigit=987), "error",
(faildigit>98763 AND faildigit<98765 ) OR faildigit=123 OR faildigit=456 OR faildigit=789, fvb, isnull(faildigit), "pass", isnotnull(faildigit), "error")
|search pipe = "error"
|eval operation=case(match(web, "/cate/surface*"), sigin app - customer, procedure=GET AND web="/choc/plain/otp*") , sigin app - application, procedure=POST AND web="/may/duration", sigin app - client, procedure=GET AND web="/year/days", sigin app - app1, OR web="/nam/power/error", sigin app - app2 OR web="/move/cloud", sigin app - app3 OR web="/mont/days, sigin app - app4, 1=1, "unknown")
|eval web = procedure." ".web
|eval sys= case (cliapp=ab, applibase, cliapp=cd, cusbase, cliapp=ef, efffilm, cliapp=gh gohome, 1=1, null())
|bin _time span=1h
|stats dc(cust_ip) as effect_apps by _time sys operation web

OUTPUT:

_time	sys	operation	web	effect_apps
2022-11-10	UA	sigin app - app1	1	10
2022-11-10	UA	sigin app - app2	2	12
2022-11-10	UA	sigin app - app3	2	10
2022-11-10	UA	sigin app - app4	1	40
2022-11-10	UA	sigin app - app5	4	2
2022-11-10	CA	sigin app - app1	5	6
2022-11-10	CA	sigin app - app2	8	1
2022-11-10	CA	sigin app - app3	9	3
2022-11-10	CA	sigin app - app4	2	4
2022-11-10	CA	sigin app - app5	1	8

vishwa · ‎11-19-2022

Combined 2 queries using appencols:
index=app-map-idx shname=niht_map_*
| append [| inputlookup customerdata.csv
|addinfo
| where _time>=info_min_time AND _time<=info_max_time
|fields - info*
|eval done=1, shname=device."_name", source=device."_name"]
|table _time sys operation web pass fail fvb quantity done shname
|eventstats sum(done) as done by shname sys
|bucket _time span=w
|stats sum(*) as * values(done) as done dc(web) as webb by _time shname sys operation
|appendpipe [| search sys="wi lapcdmb" operation="login page" OR operation="app page" OR operation="userpage" OR operation="custpage"]
|foreach pass fail fvb quantity [|eval <<FIELD>>=<<FILED>>*0.09]
|eval sys="pim"]
| eval "pass percentage"=pass/quantity*100
|eval iel=fail/quantity*100
|fillnull fvb value=0
|rename pass as Pass, fail as Fail, sys as Sys, fvb as Fvb, quantity as Quantity, operation as Operation, webb as Webb
|lookup application.csv Sys OUTPUT App mtr
|search mtr=given
|table _time pass percentage iel App Sys Operation Webb Pass Fail Qyantity Fvb
|sort 0 Sys

|appendcols

[search  index=blrm-app-idx sourcetype=blrm_appl "QA: ab" OR "QA: cd" OR "QA: ef" OR "QA: gh" (procedure=POST web="/cate/surface*") OR  (procedure=GET web="/choc/plain/otp*") OR  (procedure=POST web="/may/duration") OR  (procedure=GET web="/year/days") OR   web="/nam/power/error") OR  web="/move/cloud") OR   web="/mont/days
NOT [|inputlookup angryer.csv
|rename PI as result
|fields result]
| eval type=case((faildigit=978 OR faildigit=435 OR faildigit=543 OR faildigit=987), "error",
(faildigit>98763 AND faildigit<98765 ) OR faildigit=123 OR faildigit=456 OR faildigit=789, fvb, isnull(faildigit), "pass", isnotnull(faildigit), "error")
|search pipe = "error"
|eval operation=case(match(web, "/cate/surface*"), sigin app - customer, procedure=GET AND web="/choc/plain/otp*") , sigin app - application, procedure=POST AND web="/may/duration", sigin app - client, procedure=GET AND web="/year/days", sigin app - app1, OR   web="/nam/power/error", sigin app - app2 OR  web="/move/cloud", sigin app - app3 OR   web="/mont/days, sigin app - app4, 1=1, "unknown")
|eval web = procedure." ".web
|eval sys= case (cliapp=ab, applibase, cliapp=cd, cusbase, cliapp=ef, efffilm, cliapp=gh gohome, 1=1, null())
|bin _time span=1h
|stats dc(cust_ip) as effect_apps by _time sys operation
|appendpipe
[|lookup application.csv App OUTPUT App mtr |search mtr=given]]

OUTPUT:
Here i want to getting the effect_values from 2 query and not displaying in correct place.
I want the effect_apps values to be displayed by operation like:
under UA Sys , we have sigin app

_time	App	Sys	Operation	Webb	Pass	Fail	Quantity	Fvb	pass percentage	iel	effect_apps
2022-11-10	Custom	Customer sys	sigin app - customer	1	20	0	20	1	100	0	10
2022-11-10	Cli app	CA	sigin app - application	2	30	10	40	10	99	0.01	12
2022-11-10	sigin app	SG	sigin app - client	2	10	1	11	1	100	0	10
2022-11-10	user app	UA	sigin app - app1	1	60	0	60	16	80	0.05	40
2022-11-10	user app	UA	sigin app - app2	4	50	0	50	0	20	0.9	2
2022-11-10	user app	UA	sigin app - app3	5	100	9	109	0	0	0	6
2022-11-10	user app	UA	sigin app - app4	8	21	0	21	0	0	0	1
2022-11-10	user app	UA	sigin app - app5	9	23	0	23	0	0	0	3
2022-11-10	suzk app	SA	sigin app - app6	2	16	8	24	1	99	0	4
2022-11-10	qualis app	QA	sigin app - app7	1	100	10	110	8	10	0	8
2022-11-10	benz app	BA	sigin app - app8	2	500	11	511	6	20	0
2022-11-10	client app	CA	sigin app - app1	4	200	0	200	4	100	0
2022-11-10	client app	CA	sigin app - app2	1	800	1	801	1	100	0.11
2022-11-10	client app	CA	sigin app - app3	3	220	1	221	0	90	0.22
2022-11-10	client app	CA	sigin app - app4	2	1000	11	1011	0	99	0.45
2022-11-10	client app	CA	sigin app - app5	1	1089	12	2178	9	99	0.56

vishwa · ‎11-19-2022

But i need to get the output as shown in the below format:

OUTPUT:
Here i am getting the effect_values from 2 query and not displaying in correct place.
I want the effect_apps values to be displayed by operation like for example
under Sys- UA we have 5 operation sigin app - app1 ......... to sigin app - app5, effect_apps values should display in these places.
And in remaning places it should N/A.

_time	App	Sys	Operation	Webb	Pass	Fail	Quantity	Fvb	pass percentage	iel	effect_apps
2022-11-10	Custom	Customer sys	sigin app - customer	1	20	0	20	1	100	0	N/A
2022-11-10	Cli app	CA	sigin app - application	2	30	10	40	10	99	0.01	N/A
2022-11-10	sigin app	SG	sigin app - client	2	10	1	11	1	100	0	N/A
2022-11-10	user app	UA	sigin app - app1	1	60	0	60	16	80	0.05	10
2022-11-10	user app	UA	sigin app - app2	4	50	0	50	0	20	0.9	12
2022-11-10	user app	UA	sigin app - app3	5	100	9	109	0	0	0	10
2022-11-10	user app	UA	sigin app - app4	8	21	0	21	0	0	0	40
2022-11-10	user app	UA	sigin app - app5	9	23	0	23	0	0	0	2
2022-11-10	suzk app	SA	sigin app - app6	2	16	8	24	1	99	0	N/A
2022-11-10	qualis app	QA	sigin app - app7	1	100	10	110	8	10	0	N/A
2022-11-10	benz app	BA	sigin app - app8	2	500	11	511	6	20	0	N/A
2022-11-10	client app	CA	sigin app - app1	4	200	0	200	4	100	0	6
2022-11-10	client app	CA	sigin app - app2	1	800	1	801	1	100	0.11	1
2022-11-10	client app	CA	sigin app - app3	3	220	1	221	0	90	0.22	3
2022-11-10	client app	CA	sigin app - app4	2	1000	11	1011	0	99	0.45	4
2022-11-10	client app	CA	sigin app - app5	1	1089	12	2178	9	99	0.56	8

vishwa · ‎11-20-2022

hi, anyone can help me from the above posts????

Customized Query: How to combine 2 queries?

troubleshooting

using Splunk Enterprise

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation