Splunk Search

How to filldown by multiple criteria ?

erichard
Explorer

I,

My use case :

We monitor change state events on projects :

{

date: 2018-02-06T11:00:07+01:00

id: 473184 <= event identifier
newStateId: 4

oldStateId: 2

projectId: 28381 <= project identifier
type: project_change_state

}

I need to know by day how many project are on the state "running" {2,3,4},
with the following request I'm able to extract the states change by day :

index="gtav21_logs" type=project_change_state projectId=12903
| sort id |eval _time=strptime('date',"%FT")
| stats last(id) as id,last(newStateId) as newStateId,first(newStateId) as oldStateId by _time
|table id,_time,newStateId

id _time newStateId
351577 2016-03-17 7
351578 2016-03-18 1
351579 2016-06-21 2
351575 2017-01-05 8

The problem is the gap between day, if I work on 1 project I can use makecontinuous & filldown but not scalable with
number of project >1.

My idea is to have something like :

projectId id _time newStateId
12903 351577 2016-03-17 7
12903 351578 2016-03-18 1
12903 >>351578 2016-03-19 1
12903 >>351578 2016-03-20 1
12903 >> ...
12903 351579 2016-06-21 2
12903 351575 2017-01-05 8
12904 ...
12904 ...

And then stats count by day,projectId ...

I hope to be clear enough ...

Thanks for your help !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...