Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Aggregate query help

aag
Engager
‎07-22-2021 01:38 PM

Hi Team - I am trying to first search and  then aggregate results from following Splunk logs:

Raw format: 

"buildDimensionsAttributes:  $attribute: $constraint: $result"

sample message:

message: buildDimensionsAttributes: 6393: AttributeConstraints(-1.0,99.92,2,DoubleFormat): 99.98

Here in the AttributeConstraints

1st index corresponds to minval here -1.0

2nd index corresponds to maxval here 99.92

3rd index corresponds to decimal here 2

I want to first filter $results which are out of range, here 99.98 is not between  [-1.0 , 99.92] and then

aggregate (group by) various $attribute and then

showcase something like below on the dashboard where we can apply our usual time filters.

Attribute# | RecrdCountofOutofRange | TotalRecords

Thanks

AG

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 07:09 PM

Hi @aag 

See if this helps!.

<your_Search_goes_here>
| rex "buildDimensionsAttributes:\s+(?<attr>\d+):\s+AttributeConstraints\((?<idx1>.+?),(?<idx2>.+?),(?<idx3>.+?),.+?\):\s+(?<number>[\d\.]+)" 
| stats count as total, count(eval(number < idx1 OR number > idx2 )) as RecordOutRange by attr

---

An upvote would be appreciated if this reply helps and Accept solution!

Reply
Solved! Jump to solution

aag
Engager
‎07-23-2021 03:36 PM

Thanks much @venkatasri ; it worked beautifully !

As a next step would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Something like below:

 

aag_0-1627079204142.png

 

Helpful image from query showcasing all attributes in same graph:

aag_1-1627079605734.png

Thanks

 

 

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...