Splunk Search

How to retrieve the events based on the selected values from the Statistics table

rajeswariramar
New Member

Hey,

I am trying to retrieve the events based on the selected values from the Statistics table

IBD TOTAL SUCCESS FALED MAXRESPONSE MINRESPONSE AVGRESPONSE
IBD1 1149 1149 0 19432 693 1772.423847

IBD2 250 230 20 16532 18 2382.612000
IBD3 161 161 0 13801 741 1950.329193
IBD4 129 128 1 7395 45 2132.674419

IBD5 113 113 0 6324 825 1728.646018

index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS

For Example if I select the MinResponse Value for the IBD1, it should return that particular event alone instead of returns all the Events listed under IBD1.

Is it possible to retrieve the events based on the selected values.

Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @rajeswariramar,

In your you can achieve your requirement by adding cell level drilldown in table view.
Add below drilldown code in your table view.

Can you please try below code?

<table>
    <search>
        <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <condition field="IBD">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="TOTAL">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="SUCCESS">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="FALED">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status!="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MAXRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MINRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="AVGRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
    </drilldown>
</table>

Note: I have hard coded last 24 hrs in timestamp. So replace it with your token.

Thanks
Kamlesh

View solution in original post

0 Karma

mayurr98
Super Champion

hey you can achieve this by drill-down method!

Copy this XML into a new dashboard and see if you get the desired results!

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="IBD">$row.IBD$</set>
          <set token="TimeTaken">$row.MINRESPONSE$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* sourcetype=VM_STATS IBD=$IBD$ TimeTaken=$TimeTaken$</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Let me know if this helps you!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @rajeswariramar,

In your you can achieve your requirement by adding cell level drilldown in table view.
Add below drilldown code in your table view.

Can you please try below code?

<table>
    <search>
        <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <condition field="IBD">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="TOTAL">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="SUCCESS">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="FALED">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status!="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MAXRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MINRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="AVGRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
    </drilldown>
</table>

Note: I have hard coded last 24 hrs in timestamp. So replace it with your token.

Thanks
Kamlesh

0 Karma

rajeswariramar
New Member

Thank u.. its working now ..

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Glad to help you.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...