Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert at InfluxDB SQL query to a Splunk SPL search?

registration9
New Member
‎05-12-2017 02:36 PM

We have a FIG (fluentD/InfluxDB/Grafana) setup in which we want to change the IG part to Splunk. We have several dashboards we need to convert. A picture of 1 of them is attached. The SQL query we use is:

SELECT mean(\"value\") FROM \"dev.agent\" WHERE (\"type\" = 'traffic-stats.rxpps' OR \"type\" = 'traffic-stats.txpps') AND \"device\" =~ /$host_regex/ AND \"interface\" =~ /$interface$/ AND $timeFilter GROUP BY \"device\", \"interface\", \"type\", time($GroupBy)"

What would the SPL look like? I have fluentD pushing the data into its only index in Splunk. The index is called "sandbox"

I assume the SPL query would start with

index="sandbox" AND (type="traffic-stats.rxpps" OR type="traffic-stats.txpps") AND (device=

That's as far as I have gotten. I need to dynamical select a device and interface. I have no clue how to code the "GROUP BY" SPL equivalent.

Thanks
alt text

Preview file
77 KB
0 Karma
Reply

indeed_2000
Motivator
‎07-17-2022 11:40 PM

@registration9 did you connect splunkdb with influxdb?

i try it but got error:

https://community.splunk.com/t5/Splunk-Search/driver-influxdb-to-splunk-db/m-p/605850#M210681

would please how do you do this?

 Thanks 

0 Karma
Reply

woodcock
Esteemed Legend
‎05-12-2017 04:50 PM

Like this:

index="sandbox" earliest=timeFilterMinValue latest=timeFilterMaxValue AND (type="traffic-stats.rxpps" OR type="traffic-stats.txpps")
| where match(device, "HostRegExHere") AND match(interface, "InterfaceRegExHere")
| eval dev_int_type = device . "/" . interface . "/". type
| timechart span=5m mean(value) BY dev_int_type
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...