Splunk Search

How to edit my search for a sorted and separated top error list with a top customer list per each error?

lennys26
Communicator

I have a search which gives a top 5 list of faults (S3_call_error2) for a customer base. Instead of just showing the list, I would like to have the system provide the worst customers (S3_call_dest_regid) for each fault.

For example, my current search:

index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f BY S3_call_dest_regid | where percent >3 |top 10 S3_call_error2

This currently will return a table of 3 columns "S3_call_error2", "count", "percent", with the total count for each error. I would like to be able to see this broken down further to also show the ErrorType1 and then the top customers reporting that error, for each of the errors.

Any suggestions?

Tags (2)
1 Solution

reed_kelly
Contributor

Depending on how many rows you are talking about, you could use the map command to get the top customers for each error. By appending the original list to the result of the map command and then doing some creative sorting, you could get it all into one report.

View solution in original post

reed_kelly
Contributor

Depending on how many rows you are talking about, you could use the map command to get the top customers for each error. By appending the original list to the result of the map command and then doing some creative sorting, you could get it all into one report.

lennys26
Communicator

After some digging and banging, I have managed to get the search to work with the recommended MAP sub-search.

Below is the search string that I have ended up using:

index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |rename S3_call_dest_custid AS PTSID S3_call_error2 AS Error| table PTSID, Error"

This returns a table showing the top 3 customers (S3_call_dest_custid) reporting each of the errors (S3_call_error2) being reported.

lennys26
Communicator

Another issue - The above does work as an independent search item, however when I put it into a dashboard, I get a "Search is waiting for input... " message.

Any thoughts as to why?

0 Karma

lennys26
Communicator

As stated above, the resulting rows (S3_call_error2) are only about 4 normally, but likely less. The end result of what I want will result it the top 2 customers for each error, so we are looking at 8 max rows after my subsearch.

I am trying to play with the map and append commands, however so far no success.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are all the customer fields available in the same index? What are those fields? Can you post some sample data OR name of the fields available?

0 Karma

lennys26
Communicator

Yes - all of the fields are in the same index.
I miss-typed something in the above question, so replace the 'ErrorType1' statement with S3_call_error2.

The events contain dozens of fields however the relevant ones are:

  1. S3_call_error2 --This is the error type
  2. S3_call_dest_regid --This is the customer name

count and percent are calculated.

There are only about 15 possible values for S3_call_error2, however in the above, the results are limited by the percent statement (3%) to about 4 or so.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...