Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to do postprocessing without a join?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=abc caller-id IN ("8179f4c86", "926bbcf8957a") component=Chatbot
| join transaction id
[ search index=pqr component=$MSComp$
logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout")]
| timechart span=$span$ count(eval(status="ok")) as Success count(eval(status="error")) as Error ,count(status) as total
| eval Success=round((Success/total)*100,2)
| eval Error=round((Error/total)*100,2)
| eval failure=100-(Success+Error)
| fields _time, failure ,Error,Success
I have lots of panels where this join is made.
Please help me with postprocessing without a join.
condition is : transaction -ids for the caller-ids in abc index is ame as transaction-ids in index pqr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi shraddhamuduli
sometimes you can replace join or transaction with stats command, try something like this:
(index=abc (caller-id="8179f4c86" OR caller-id="926bbcf8957a") component=Chatbot)
OR (index=pqr component=$MSComp$ logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout"))
| bin _time span=$span$
| stats values(status) AS status BYtransaction-id _time
| timechart count(eval(status="ok")) as Success count(eval(status="error")) as Error count(status) as total
| eval Success=round((Success/total)*100,2)
| eval Error=round((Error/total)*100,2)
| eval failure=100-(Success+Error)
| fields _time failure Error Success
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that the first search is your base search and the rest of your stuff below is your post-process search and furthermore that you have many panels with similar post-process searches which all start with the same |join []? If so, why not move the join to the base search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi shraddhamuduli
sometimes you can replace join or transaction with stats command, try something like this:
(index=abc (caller-id="8179f4c86" OR caller-id="926bbcf8957a") component=Chatbot)
OR (index=pqr component=$MSComp$ logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout"))
| bin _time span=$span$
| stats values(status) AS status BYtransaction-id _time
| timechart count(eval(status="ok")) as Success count(eval(status="error")) as Error count(status) as total
| eval Success=round((Success/total)*100,2)
| eval Error=round((Error/total)*100,2)
| eval failure=100-(Success+Error)
| fields _time failure Error Success
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
Just one concern :
The OR will give results belonging to caller-id in index=abc + the results belonging to index=pqr
here pqr might contain data belonging to other caller-ids as well
The flow is like
the data belonging to caller-ids in first index and the data belonging to same caller-id belonging to 2nd index is same on the basis of transaction id
the caller-id value changes when the data flows from index abc to index pqr
note, pqr is the 2nd layer(or entry point) to index layer abc
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
