Splunk Search

How to give threshold values dynamically in the search query

deepthi5
Path Finder

Hi Team,

I have got different sites seperated according to the tiers having different threshold values
Ex

Mumbai-Tier1

Cebu Tier2
Gurgoan tier2

Hyderabad Tier 3

Tier threshold valu=70%
Tier threshold value=80%
Tier 3 threshold valu=90%

Right now i have a combo box from whihc i can select a tier and my chart will display graphs for sites in that tier
but now i want how many sites network consumption is excedding particaular threshold how can i change according to the tier selected

Here is search query where i want to change my threshold according to the tier slected in the combo box

source="C:\Network Analysis\tier1\rusxwalmartedc S0-0-0.csv" OR source="C:\Network Analysis\tier1\rdinmumbai010-7-1 S2-0.csv" OR source="C:\Network Analysis\tier1\rdgbreddit010-1-2 Gig0-2.csv" OR source="C:\Network Analysis\tier2\rdingurgao010-5-1 f0-1.csv" OR source="C:\Network Analysis\tier3\rdinsecund010-5-2 Gig0-0.csv" OR source="C:\Network Analysis\tier2\rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9|where result>seventyperc*|stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

View solution in original post

woodcock
Esteemed Legend

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

deepthi5
Path Finder

that worked thank u so much ...

0 Karma

gcato
Contributor

Hi deepthi5,

I believe what you're looking for is the ability to define new tokens based on the conditional input choices. The Splunk documentation has a good example here:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/PanelreferenceforSimplifiedXML#condition_.28in...

Here's a run anywhere example also...

<form>
  <label>Language</label>
  <fieldset submitButton="false">
    <input type="radio" token="myChoice" searchWhenChanged="true">
      <label>Language Choice</label>
      <choice value="lang1">English</choice>
      <choice value="lang2">Spanish</choice>
      <choice value="lang3">French</choice>
      <change>
        <condition label="English">
          <set token="myConditionalChoice">"Hello, world"</set>
          <set token="mylang">English</set>
        </condition>
        <condition label="Spanish">
          <set token="myConditionalChoice">"Hola mundo"</set>
          <set token="mylang">Espagnol</set>
        </condition>
        <condition value="lang3">
          <set token="myConditionalChoice">"Bonjour le monde"</set>
          <set token="mylang">Français</set>
        </condition>
      </change>
      <default>lang1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
          | stats count |eval greeting=$myConditionalChoice|s$ | eval out = "$mylang$" . ": " . greeting | fields out
         </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

Hopefully, you'll be able use these example to modify your search form to match your needs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...