Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filldown by multiple criteria ?

erichard
Explorer
‎02-06-2018 02:48 AM

I,

My use case :

We monitor change state events on projects :

{

date: 2018-02-06T11:00:07+01:00

id: 473184 <= event identifier
newStateId: 4

oldStateId: 2

projectId: 28381 <= project identifier
type: project_change_state

}

I need to know by day how many project are on the state "running" {2,3,4},
with the following request I'm able to extract the states change by day :

index="gtav21_logs" type=project_change_state projectId=12903
| sort id |eval _time=strptime('date',"%FT")
| stats last(id) as id,last(newStateId) as newStateId,first(newStateId) as oldStateId by _time
|table id,_time,newStateId

id _time newStateId
351577 2016-03-17 7
351578 2016-03-18 1
351579 2016-06-21 2
351575 2017-01-05 8

The problem is the gap between day, if I work on 1 project I can use makecontinuous & filldown but not scalable with
number of project >1.

My idea is to have something like :

projectId id _time newStateId
12903 351577 2016-03-17 7
12903 351578 2016-03-18 1
12903 >>351578 2016-03-19 1
12903 >>351578 2016-03-20 1
12903 >> ...
12903 351579 2016-06-21 2
12903 351575 2017-01-05 8
12904 ...
12904 ...

And then stats count by day,projectId ...

I hope to be clear enough ...

Thanks for your help !

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...