Hello folks,
I have Logger lines as below:
job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1, "nbPropertyPerExecution":5, "propertyEndCount":6, "nbPropertyForCurrentExecution":5 }
job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR2", "nbProperties":1345, "propertyStartCount":6, "nbPropertyPerExecution":5, "propertyEndCount":11, "nbPropertyForCurrentExecution":5 }
------These lines continue till propertyEndCount = nbProperties but sometimes it does not get equal and stops randomly like below.
This job stopped at "propertyEndCount":1076 only
job MONITOR-DESYNC-3-6AQ-Q7Z: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1071, "nbPropertyPerExecution":5, "propertyEndCount":1076, "nbPropertyForCurrentExecution":5 }
SPlunk query to find how many hotels got covered for each chain . In this case
Output Expected is:
chain total-property covered-property
PR1 1345 1076
PR2 1345 1000
I am quite new to splunk query. I think If somehow I could fetch the value of propertyEndCount from the last event then it should work.
If anyone can provide some solution to get as expected result mentioned above.
Thanks in Advance.
Hi @Sanjana,
you could use stats and try something like this:
<your_search>
| stats max(propertyStartCount) AS propertyStartCount max(propertyEndCount) AS propertyEndCount BY chain nbProperties
| where propertyEndCount>propertyStartCount
in this way you group transactions for chain and nbProperties and you have have only the transactions where start and end count are different.
Ciao.
Giuseppe
Hello @gcusello
Thanks for the response.
But I am not able to fetch data as expected. No statistics is coming
Hi @Sanjana,
sorry but I don't understand: why aren't you able to perform a stats command?
The problem is that you have many events and you need to take only the last value.
Ciao.
Giuseppe