Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Aggregate query help

aag
Engager
‎07-22-2021 01:38 PM

Hi Team - I am trying to first search and  then aggregate results from following Splunk logs:

Raw format: 

"buildDimensionsAttributes:  $attribute: $constraint: $result"

sample message:

message: buildDimensionsAttributes: 6393: AttributeConstraints(-1.0,99.92,2,DoubleFormat): 99.98

Here in the AttributeConstraints

1st index corresponds to minval here -1.0

2nd index corresponds to maxval here 99.92

3rd index corresponds to decimal here 2

I want to first filter $results which are out of range, here 99.98 is not between  [-1.0 , 99.92] and then

aggregate (group by) various $attribute and then

showcase something like below on the dashboard where we can apply our usual time filters.

Attribute# | RecrdCountofOutofRange | TotalRecords

Thanks

AG

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

Reply
Solved! Jump to solution

aag
Engager
‎07-23-2021 03:36 PM

Thanks much @venkatasri ; it worked beautifully !

As a next step would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Something like below:

 

aag_0-1627079204142.png

 

Helpful image from query showcasing all attributes in same graph:

aag_1-1627079605734.png

Thanks

 

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...