Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Aggregate query help

aag
Engager
‎07-22-2021 01:38 PM

Hi Team - I am trying to first search and  then aggregate results from following Splunk logs:

Raw format: 

"buildDimensionsAttributes:  $attribute: $constraint: $result"

sample message:

message: buildDimensionsAttributes: 6393: AttributeConstraints(-1.0,99.92,2,DoubleFormat): 99.98

Here in the AttributeConstraints

1st index corresponds to minval here -1.0

2nd index corresponds to maxval here 99.92

3rd index corresponds to decimal here 2

I want to first filter $results which are out of range, here 99.98 is not between  [-1.0 , 99.92] and then

aggregate (group by) various $attribute and then

showcase something like below on the dashboard where we can apply our usual time filters.

Attribute# | RecrdCountofOutofRange | TotalRecords

Thanks

AG

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

Reply
Solved! Jump to solution

aag
Engager
‎07-23-2021 03:36 PM

Thanks much @venkatasri ; it worked beautifully !

As a next step would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Something like below:

 

aag_0-1627079204142.png

 

Helpful image from query showcasing all attributes in same graph:

aag_1-1627079605734.png

Thanks

 

 

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...