Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Aggregate query help

aag
Engager
‎07-22-2021 01:38 PM

Hi Team - I am trying to first search and  then aggregate results from following Splunk logs:

Raw format: 

"buildDimensionsAttributes:  $attribute: $constraint: $result"

sample message:

message: buildDimensionsAttributes: 6393: AttributeConstraints(-1.0,99.92,2,DoubleFormat): 99.98

Here in the AttributeConstraints

1st index corresponds to minval here -1.0

2nd index corresponds to maxval here 99.92

3rd index corresponds to decimal here 2

I want to first filter $results which are out of range, here 99.98 is not between  [-1.0 , 99.92] and then

aggregate (group by) various $attribute and then

showcase something like below on the dashboard where we can apply our usual time filters.

Attribute# | RecrdCountofOutofRange | TotalRecords

Thanks

AG

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

Reply
Solved! Jump to solution

aag
Engager
‎07-23-2021 03:36 PM

Thanks much @venkatasri ; it worked beautifully !

As a next step would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Something like below:

 

aag_0-1627079204142.png

 

Helpful image from query showcasing all attributes in same graph:

aag_1-1627079605734.png

Thanks

 

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...