Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use map command to run for each deviceid?

Kirthika
Path Finder
‎07-12-2023 01:41 AM

I have the following query,

 

index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp

How to use map or foreach command for the above query so it will run separately for each Deviceid

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2023 08:50 AM 
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats max(time) as latest_time
| where time >= latest_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2023 05:55 AM

The provided query appears to run for each Device_ID already.  How is the query not meeting your expectations?  What is the use case?  Why do you think you need map or foreach?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Kirthika
Path Finder
‎07-12-2023 08:35 AM

Hi @richgalloway ,

 

This is my whole query.

index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp

 

I'm trying to remove events which is decreasing inbetween. Here I have used "filldown" command. So it is messing up with other devices.

To get of this, I want to use map or foreach. But not sure how to implement in the above query.

 

Sample Data:

Timestamp 

2021-08-09 12:26:55.7852
2021-08-09 12:26:56.2278
2021-08-09 12:26:56.2278
2021-08-09 12:26:56.3939
2021-08-09 12:26:39.2861
2021-08-09 12:26:40.3430
2021-08-09 12:26:41.3482
2021-08-09 12:26:41.4832
2021-08-09 12:26:56.8794
2021-08-09 12:26:57.8846
2021-08-09 12:26:58.9398
2021-08-09 12:26:59.9450
2021-08-09 12:26:59.9700
2021-08-09 12:26:59.9700
2021-08-09 12:27:00.8201
2021-08-09 12:27:00.8401
2021-08-09 12:27:01.0352
2022-03-30 10:09:25.6406
2022-03-30 10:09:25.8007
2022-03-30 10:09:26.8109
2022-03-30 10:09:27.5961
2022-03-30 10:09:27.5961

If you see the timestamp which is marked as bold, seconds value got decreasing inbetween , I'm trying to ignore those events.

 Somecase hours or minutes also will decrease

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2023 08:50 AM 
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats max(time) as latest_time
| where time >= latest_time
0 Karma
Reply
Solved! Jump to solution

Kirthika
Path Finder
‎07-12-2023 10:47 AM

Thank you @ITWhisperer . Can you please help me with where should i add those lines you mentioned

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2023 10:36 PM

Try something like this

index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats global=f max(time) as latest_time by Device_ID
| where time >= latest_time
0 Karma
Reply
Solved! Jump to solution

Kirthika
Path Finder
‎07-25-2023 11:27 PM

Hi @ITWhisperer ,

| streamstats global=f max(time) as latest_time by Device_ID
| where time >= latest_time

This is giving accurate results. But when i enable scheduled search, it is running in fast mode. In fast mode, I found few events are missing. Is there any alternate way for this command

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top