Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help to assign values in increment order to each values in a field

smanojkumar
Contributor
‎07-04-2022 03:23 AM

It should assign values to each values in the specific field,

smanojkumar_0-1656930105434.png

if the same query executes at second time, it should start with previously ended values, i.e.., from 8

smanojkumar_1-1656930162540.png

This should be continue at every time the query executes.

consider this is the search, 


index=linux host="*" memUsedPct="*" sourcetype="vmstat" earliest=-60m latest=-1m
| eval host=mvindex(split(host,"."),0)
| stats avg(memUsedPct) AS memUsedPct by host
| eval memUsedPct=round(memUsedPct,1)
| where (memUsedPct>80 AND memUsedPct<90)

,This will return list of host, it should be numbered from 1, and if the next time query runs, it should start from previous value,

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2022 10:42 AM

Ok, a very ugly solution would be to capture results in a lookup and in the subsequent run have a subsearch which would select max(count). Then you'd eval one field to it and streamstats count and add this constant field.

But I won't write the search itself here because it's a very ugly solution, it's not "splunky" in my opinion and it will probably have huge problems with race condition.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2022 07:55 AM

One question to consider with such requests - if you have several million rows to return and your search started at 12:31:12 and lasted till 12:31:42. And another person started "the same" search at 12:31:31. How should his results be numbered and why?

Anyway, Splunk does not - without some magic - have the concept of "state" stored between different searches.

0 Karma
Reply

smanojkumar
Contributor
‎07-04-2022 08:27 AM

It wont return more than 10 values, 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 08:34 AM

There doesn't appear to be anything in your search that would specifically limit the number of events returned - why do you think there are no more than 10?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2022 08:28 AM

You're dodging the question, not answering it. OK, what if there were two instances run at the same time?

0 Karma
Reply

TheEggi98
Path Finder
‎07-04-2022 07:30 AM

For testing stuff i sometimes do the following search for incremental counts:

| makeresults count=10 ```for generating 10 tablerows```
| streamstats count ```for count upwards with the rows, starting with 1```


For "saving" the last count you could write that into an Index or into a Lookup or count the data that already got counted incrementally. and add that to a new incremental count.


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 03:54 AM

It is not clear where these queries are executing - normally, if you execute a search against a dataset, you will get results from that dataset. Unless that dataset is updated in some way, your results won't change. Having said that, within a dashboard, you might be able to save the highest value from one execution of a search in a token (for example) and use the value of the token to add to the counts the next time the search executes.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...