Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit search to find the amount time an event is in multi states?

sarfarajsayyad
New Member
‎11-18-2016 09:58 AM

I have an index with 30+ fields. One of the field is state. I want to find amount of time an event is in a particular states (comma separated states).

I have a macro like below

[TimeInState(1)]
args = States
join type=left data_id [search index="data_log" log_msg="State Established: $States$" | dedup log_id | sort 0 _time by id | delta _time as "offclock" p=1 | ......remaining search query
iseval = 0

This macro is working fine with single input (States="Open"). What changes i need to do to work with multiple comma separated states(States="Open,Working")?

I have tried using | makemv delim="," states | top states | but no success
and another issue is i want to do this before first pipe ( | ). i.e search index="datat_log" log_msg="State Established: $TicketStates$" Some logic here

Any advice and suggestions will be greatly appreciated
/Sarfaraj

0 Karma
Reply

maciep
Champion
‎11-21-2016 05:57 PM

Maybe you can use a subsearch to transform the States parameter the way you want? For example:

join type=left data_id [search index="data_log" [| stats count | eval log_msg =split($States$,",") | mvexpand log_msg | eval log_msg="State Established: " . log_msg | fields - count] | dedup log_id | . . .

You'll probably have to change the logic around the rest of the query to account for multiple states though I think.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...