Splunk Search
Highlighted

How to use a field name from one search to perform another?

New Member

Hello.

I want to make a dashboard with statistics about errors that happen in our application. I've made column chart with errorOperationsCount/operationsCount.
Then I've added 1 panel on my dashboard and I want to fill it with timechart of results of top-1 operation from first search. I want to make it through hidden search (so that I just complement the first search), but I don't know how to do it. Can you help me, please?

My current implementation:

1) chart with errorOperationsCount/operationsCount

index=prt 
 | chart dc(trackingId) over operation by result 
 | addtotals 
 | eval ratio = 1 - coalesce(OK,0)/Total 
 | fields operation, ratio 
 | sort limit=25 -ratio

2) first panel (I couldn't come up with how to do it through using result of first search)

index=prt result=* 
[search index=prt result=* 
| chart dc(trackingId) over operation by result 
| addtotals 
| eval ratio = 1 - coalesce(OK,0)/Total 
| sort limit=1 -ratio |fields operation]
|timechart span=1h count by result
0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

SplunkTrust
SplunkTrust

use a subsearch ?

0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

New Member

I use subsearch. But how can I use it so that I will use the result of first search?

0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

Legend

Try this (beware of Post process limitations)

*For you base search*

<search id="base"><query>index=prt | eventstats c(trackingid) as total c(eval(result="OK")) as ok by operation | eval ratio=ok/total</query></search>

For your first chart*

<search base="base">
<query>stats max(ratio) as ratio by operation | sort 25 -ratio</</query></search>

*For your panel*

<search base="base"><search>eventstats min(ratio) as min_ratio | where ratio=min_ratio | timechart span=1h c by result</query></search>
0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

New Member

Thank you, sundareshr!
But I have result table like this

operation result
check 0.3
search 0.3
process 0.3

Which one of rows the "eventstats min(ratio) as minratio | where ratio=minratio" will resturn? I didn't write in my question, but I want to have 4 panels of top-4 error operations, not just 1. So I want to have some way to get the row number x and then make timechart for the operation number x. Thank you in advance for your attention to this matter.

0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

Legend

eventstats works on all row. In this case, it is get the min(ratio) from all the rows a set that value to field min_ratio for all rows. For the 4 panels, you can use a combination of head & tail commands to get the specific row you need. So for the first panel, you will add head for the second row add head 2 | tail 1 for the third head 3 | tail 1 and for the fourth tail 1

0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

New Member

But

index=prt result=*
 | eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
 | eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio|head|timechart count(operation) by result 

doesn't return anything

0 Karma
Highlighted

Re: How to use a field name from one search to perform another?

Legend

That's because you have a stats command that does not include the _time field. Change the stats command to eventstats. So you search will look like this

index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
| eval ratio=1-okOp/totalOp
| eventstats max(ratio) as ratio by operation 
| timechart count(operation)max(ratio)  by result 
| sort 3 -ratio 
| head 1
0 Karma