Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filldown by multiple criteria ?

erichard
Explorer
‎02-06-2018 02:48 AM

I,

My use case :

We monitor change state events on projects :

{

date: 2018-02-06T11:00:07+01:00

id: 473184 <= event identifier
newStateId: 4

oldStateId: 2

projectId: 28381 <= project identifier
type: project_change_state

}

I need to know by day how many project are on the state "running" {2,3,4},
with the following request I'm able to extract the states change by day :

index="gtav21_logs" type=project_change_state projectId=12903
| sort id |eval _time=strptime('date',"%FT")
| stats last(id) as id,last(newStateId) as newStateId,first(newStateId) as oldStateId by _time
|table id,_time,newStateId

id _time newStateId
351577 2016-03-17 7
351578 2016-03-18 1
351579 2016-06-21 2
351575 2017-01-05 8

The problem is the gap between day, if I work on 1 project I can use makecontinuous & filldown but not scalable with
number of project >1.

My idea is to have something like :

projectId id _time newStateId
12903 351577 2016-03-17 7
12903 351578 2016-03-18 1
12903 >>351578 2016-03-19 1
12903 >>351578 2016-03-20 1
12903 >> ...
12903 351579 2016-06-21 2
12903 351575 2017-01-05 8
12904 ...
12904 ...

And then stats count by day,projectId ...

I hope to be clear enough ...

Thanks for your help !

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...