Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart showing the results of multiple searches

andilee
Explorer
‎03-12-2014 06:22 PM

Hi there! Wondering if anyone can offer some advice on how to combine several searches to create a chart...

I have eight searches which show acceptable and unacceptable outcomes for product orders - an order is OK if certain products are ordered together and not OK if one of the products is left out.

They look a bit like:

index=prodmon source="Orders"
| search (P1_FLAG ="Y", P2_FLAG ="N", P3_FLAG ="Y")
| stats count as "Non-compliant Orders: Combo 1"

index=prodmon source="Orders"
| search (P1_FLAG ="Y", P2_FLAG ="Y", P3_FLAG ="Y")
| stats count as "Compliant Orders: Combo 1"

I'm trying to get a chart that will show a count for each possible outcome:

Non-compliant orders: Combo 1 Compliant Orders: Combo 1 etc

Any ideas? I've been mucking around with rename and as to get a new field for each count to combine into a search, but nothing has really worked out so far...

Thanks in advance,
Andrea :

Tags (1)
0 Karma
Reply

gauldridge
Path Finder
‎03-12-2014 08:06 PM

Try using two case statements. The first case will identify the combo numbers based on the products that need to be purchased together. The second case checks to make sure that all products were indeed purchased. If all products were purchased, the order is marked compliant. Anything other than "fully compliant" is marked as non-compliant:

The main search piepline:

index="prodmon" source="Orders"

Defining the product combinations (I've added one that may not exist just to show a larger case statement):

| eval combo_number=case((isnotnull(P1_FLAG) AND isnotnull(P2_FLAG) AND isnotnull(P3_FLAG)),1,(isnotnull(P4_FLAG) AND isnotnull(P5_FLAG) AND isnotnull(P6_FLAG)),2)

Checking for comliance/non-compliance:

| eval compliance=case((combo_number==1 AND (P1_FLAG=="Y" AND P2_FLAG=="Y" AND P3_FLAG=="Y")),"Compliant Orders: Combo 1",(combo_number==1 AND 1==1),"Non-compliant Orders: Combo 1",(combo_number==2 AND (P4_FLAG=="Y" AND P5_FLAG=="Y" AND P6_FLAG=="Y")),"Compliant Orders: Combo 2",(combo_number==2 AND 1==1),"Non-compliant Orders: Combo 2")

Getting the counts:

| stats c by compliance

This should get you what you want without having to specifically define every possible combination of flags for every product combo. You only have to define what constitutes a compliant combo. The 1==1 takes care of anything that isn't compliant.

0 Karma
Reply

andilee
Explorer
‎03-12-2014 08:49 PM

Thanks for the input!! It's not quite returning what I want, but I think I can fine tune this - certainly far more successful than my half-baked faffing about with renames and as.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...