Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditional search evaluation

Tanmaya
New Member
‎10-06-2021 03:28 AM

Hi , 

I am trying to get the day wise error count by data message only if the yesterdays error count is more than 50 .

index="eshop" NOT(index=k8*dev OR index=k8*test) tag=error
| eval time=strftime(_time,"%Y-%m-%d")
|table time,data.message

<condition if the previous day data message count is less than 50 then it should be ignored from the stats>
| stats count by time,data.message

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 03:52 AM

Don't split by time manually. That's what timechart is for. It works similarily but a bit different.

If you bin manually by date, you have no good way to find days in which there was no events (you have to do tricks with generating artificial entries with count of zero) and therefore you can check agains "previous" value but it doesn't necessarily be the value from the day before. (Unless that's exactly what you want to do, but that's another story)

So instead of manipulating with date just do

| timechart span=1d count by data.message

Now you can't filter by value from another row. You have to get the value from another row into your row. There's a command for it - autoregress. But in order for it to work properly, you have to sort the data in the right order.

| sort data.message _time

Now you can get your previous values for comparison

| autoregress data.message count

And filter out the ones we don't want

| where NOT (data.message=data.message_p1 AND count_p1>50)

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-06-2021 03:34 AM

Hi @Tanmaya,

did you tried something like this?

index="eshop" NOT(index=k8*dev OR index=k8*test) tag=error earliest=-1@d latest=@d
| stats count BY data.message
| where count>50

Only one question: do you want to alert if any message count is more than 50 or sone spoecified messages?

Ciao.

Giuseppe

0 Karma
Reply

Tanmaya
New Member
‎10-06-2021 03:42 AM

Thanks for the response ... 

I am trying to create a dashboard with the error count line graph where i want to include only those data messages whose previous day count is more than 50 

example :Trells line graph 

if the yesterdays error for 404 is less than 50 i don't want to include 404 error message for plotting the graph

if the yesterdays error for 417 is greater than 50 then  want to include 404 error message for plotting the graph  

errorA : 40

errorB:55

errorC:55

Get the stats count only for errorB and errorC

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-07-2021 12:00 AM

Hi, @Tanmaya,

in this case the above search should be ok for your needs, did you tried it?

Let me know and, if correct, please accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors. 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...