Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my current search to get my expected...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mprreddy51
Explorer
06-28-2016
03:58 PM
Hi,
Can anyone suggest how to get the below expected output as shown? I am getting only 2 rows in the result currently, but I should get 3 rows because TYPE field is not there in one event and I used "BY" as shown in the search.
Search:
index=pqr sourcetype=abc SERVICE_NAME=WORST MESSAGE=REQ |stats earliest(_time) as start by ACCNO | join ACCNO [ search index=pqr sourcetype=abc SERVICE_NAME=WORST MESSAGE=RES |stats earliest(_time) as END by ACCNO,COUNTRY,TYPE|eval Proc_time=START-END|table ACCNO,COUNTRY,TYPE,proc_time
Sample Data:
20140122T100510 SERVICE=WORST MESSAGE=REQ COUNTRY=USA ACCNO=1234
20140122T100513 SERVICE=WORST MESSAGE=RES COUNTRY=USA ACCNO=1234 TYPE=GOLD
20140122T100514 SERVICE=WORST MESSAGE=REQ COUNTRY=USA ACCNO=1432
20140122T100515 SERVICE=WORST MESSAGE=RES COUNTRY=USA ACCNO=1432 TYPE=SILVER
20140122T100516 SERVICE=WORST MESSAGE=REQ COUNTRY=USA ACCNO=1236
20140122T100518 SERVICE=WORST MESSAGE=RES COUNTRY=USA ACCNO=1236
Current output:
ACCNO COUNTRY TYPE proc_time(sec)
1234 USA GOLD 03
1432 USA SILVER 01
Expecting Output:
ACCNO COUNTRY TYPE proc_time(sec)
1234 USA GOLD 03
1432 USA SILVER 01
1236 USA null 02
Thanks in advance.
-PR
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-28-2016
06:53 PM
Try this
index=pqr sourcetype=abc SERVICE_NAME=WORST MESSAGE=REQ |stats earliest(_time) as start by ACCNO | join ACCNO [ search index=pqr sourcetype=abc SERVICE_NAME=WORST MESSAGE=RES |stats earliest(_time) as END values(COUNTRY) as COUNTRY values(TYPE) as TYPE by ACCNO]|eval Proc_time=START-END|table ACCNO, COUNTRY, TYPE, Proc_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-29-2016
05:52 AM
Like this:
... | fillnull value="null" TYPE
| eventstats range(_time) AS proc_time_secs BY ACCNO COUNTRY
| stats first(proc_time_secs) AS proc_time_secs values(TYPE) AS TYPE BY ACCNO COUNTRY
| eval TYPE = mvindex(TYPE, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-28-2016
06:53 PM
Try this
index=pqr sourcetype=abc SERVICE_NAME=WORST MESSAGE=REQ |stats earliest(_time) as start by ACCNO | join ACCNO [ search index=pqr sourcetype=abc SERVICE_NAME=WORST MESSAGE=RES |stats earliest(_time) as END values(COUNTRY) as COUNTRY values(TYPE) as TYPE by ACCNO]|eval Proc_time=START-END|table ACCNO, COUNTRY, TYPE, Proc_time
Get Updates on the Splunk Community!
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
