Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I group and aggregate and filter all events based on those aggregated attributes?

cjoelly
Loves-to-Learn
‎06-18-2024 04:47 AM

Coming from SQL, I want to do stuff like GROUP BY and HAVING ...

The data is available with a transaction identifier.Grouing should be done by that transaction identifier.

Per transaction, I want to check a few attributes, if their values are unique within each treansaction.

In SQL terms:
select transaction_id from index group by transaction_id

having count(distinct attr1) = 1 and count(distinct attr2) = 1 and count(distinct attr3) = 1

From that table of transaction_ids, a join to the same index should be done to filter the events.

How can I achieve this with Splunk query?

 

Labels (1)
Labels
0 Karma
Reply

cjoelly
Loves-to-Learn
‎06-18-2024 11:45 PM

We changed our approach, generate a different structure in Splunk using stats and thus we do not need to read the raw events anymore.

 

0 Karma
Reply

cjoelly
Loves-to-Learn
‎06-18-2024 07:04 AM

I dont know if my approach is the right way to go. As I learned, that JOINs allow only 50.000 records to be joined. And I expect way more events to be joined to the filtered transactions.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2024 05:37 AM

You could try using eventstats to tag each event with the aggregated value for the transaction it is a part of and use this to filter the events.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...