Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Aggregate query help

aag
Engager
‎07-22-2021 01:38 PM

Hi Team - I am trying to first search and  then aggregate results from following Splunk logs:

Raw format: 

"buildDimensionsAttributes:  $attribute: $constraint: $result"

sample message:

message: buildDimensionsAttributes: 6393: AttributeConstraints(-1.0,99.92,2,DoubleFormat): 99.98

Here in the AttributeConstraints

1st index corresponds to minval here -1.0

2nd index corresponds to maxval here 99.92

3rd index corresponds to decimal here 2

I want to first filter $results which are out of range, here 99.98 is not between  [-1.0 , 99.92] and then

aggregate (group by) various $attribute and then

showcase something like below on the dashboard where we can apply our usual time filters.

Attribute# | RecrdCountofOutofRange | TotalRecords

Thanks

AG

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

Reply
Solved! Jump to solution

aag
Engager
‎07-23-2021 03:36 PM

Thanks much @venkatasri ; it worked beautifully !

As a next step would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Something like below:

 

aag_0-1627079204142.png

 

Helpful image from query showcasing all attributes in same graph:

aag_1-1627079605734.png

Thanks

 

 

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...