Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I build a nested query with the following attributes: class, user, id, value?

yifatcy
Path Finder
‎07-28-2020 06:35 AM

Hi,
I have data with the following attributes: class, user, id, value.
I want to execute for value larger than <number> and for the top 5 classes with the maximal quantity of records (ids), the user with maximum records for each of those classes.

I have this for now (which gives me the first part) : 
index="x"  value>1036800 | fields class id value | chart count(id) as 12+_days by class 
| sort -12+_days limit=5

example for my expected final results:

user 12+_days
user_a 215
user_b 35
user_c 65
user_d 656
user_e 695

where each of those users is from different class from the top 5 classes.

I tried nested loop with square brackets but nothing gave my the expected result.
Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2020 06:40 AM

This was a challenge.  I think you can do it with a subsearch that selects the top classes.

| makeresults | eval _raw="user   id    class value
James  12245 A     1225488
James  24545 A     2156321
Gianna 12457 B     4558923
Jenny  12462 C     1214578
James  41512 A     1324486
Jenny  41277 C     2151778
John   54588 C     4584897
Erik   55785 A     2165156" | multikv forceheader=1
```Above just defines test data```
```Use a subsearch to find the top classes```
| search [| makeresults | eval _raw="user   id    class value
James  12245 A     1225488
James  24545 A     2156321
Gianna 12457 B     4558923
Jenny  12462 C     1214578
James  41512 A     1324486
Jenny  41277 C     2151778
John   54588 C     4584897
Erik   55785 A     2165156" | multikv forceheader=1
```Above just defines test data```
  | streamstats sum(value) as total by class
  | stats max(total) as maxtotal by class 
  ```Change "2" to the desired number of classes```
  | sort 2 - maxtotal | fields class | format]
| stats sum(value) as sum by class,user
| sort - sum
| dedup class
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 06:56 AM
Please provide some sample data.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

yifatcy
Path Finder
‎07-28-2020 07:09 AM

Here is an example, the value is only a condition so I'll ignore it for the sake of the example.

expected result (I'll show for top 2 here).

Top 2 classes (those with the maximum records):

C

Top user in each class:

James (in A)

Jenny (in C)

 

data:

useridclassvalue
James12245A1225488
James24545A2156321
Gianna12457B4558923
Jenny12462C1214578
James41512A1324486
Jenny41277C2151778
John54588C4584897
Erik55785A2165156
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2020 06:40 AM

This was a challenge.  I think you can do it with a subsearch that selects the top classes.

| makeresults | eval _raw="user   id    class value
James  12245 A     1225488
James  24545 A     2156321
Gianna 12457 B     4558923
Jenny  12462 C     1214578
James  41512 A     1324486
Jenny  41277 C     2151778
John   54588 C     4584897
Erik   55785 A     2165156" | multikv forceheader=1
```Above just defines test data```
```Use a subsearch to find the top classes```
| search [| makeresults | eval _raw="user   id    class value
James  12245 A     1225488
James  24545 A     2156321
Gianna 12457 B     4558923
Jenny  12462 C     1214578
James  41512 A     1324486
Jenny  41277 C     2151778
John   54588 C     4584897
Erik   55785 A     2165156" | multikv forceheader=1
```Above just defines test data```
  | streamstats sum(value) as total by class
  | stats max(total) as maxtotal by class 
  ```Change "2" to the desired number of classes```
  | sort 2 - maxtotal | fields class | format]
| stats sum(value) as sum by class,user
| sort - sum
| dedup class
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

yifatcy
Path Finder
‎07-30-2020 12:29 AM

Thank you very much!

I'm struggling to replace the definition of data test with index (I'm fairly new to Splunk).

this is the way I extracted the data in my previous queries, and I tried to use it here but it seems like I'm not supposed to use index after the search command. could you tell me how to replace the data definition with this:

index=jobs  value>1036800 | fields user id class

thank you again.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2020 06:23 AM

What you have should work, with the addition of the value field.

index=jobs  value>1036800 | fields user id class value

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...