Solved: How to use map command to run for each deviceid?

Kirthika · ‎07-12-2023

I have the following query,

index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp

How to use map or foreach command for the above query so it will run separately for each Deviceid

ITWhisperer · ‎07-12-2023

| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats max(time) as latest_time
| where time >= latest_time

View solution in original post

richgalloway · ‎07-12-2023

The provided query appears to run for each Device_ID already. How is the query not meeting your expectations? What is the use case? Why do you think you need map or foreach?

---
If this reply helps you, Karma would be appreciated.

Kirthika · ‎07-12-2023

Hi @richgalloway ,

This is my whole query.

I'm trying to remove events which is decreasing inbetween. Here I have used "filldown" command. So it is messing up with other devices.

To get of this, I want to use map or foreach. But not sure how to implement in the above query.

Sample Data:

Timestamp

2021-08-09 12:26:55.7852
2021-08-09 12:26:56.2278
2021-08-09 12:26:56.2278
2021-08-09 12:26:56.3939
2021-08-09 12:26:39.2861
2021-08-09 12:26:40.3430
2021-08-09 12:26:41.3482
2021-08-09 12:26:41.4832
2021-08-09 12:26:56.8794
2021-08-09 12:26:57.8846
2021-08-09 12:26:58.9398
2021-08-09 12:26:59.9450
2021-08-09 12:26:59.9700
2021-08-09 12:26:59.9700
2021-08-09 12:27:00.8201
2021-08-09 12:27:00.8401
2021-08-09 12:27:01.0352
2022-03-30 10:09:25.6406
2022-03-30 10:09:25.8007
2022-03-30 10:09:26.8109
2022-03-30 10:09:27.5961
2022-03-30 10:09:27.5961

If you see the timestamp which is marked as bold, seconds value got decreasing inbetween , I'm trying to ignore those events.

Somecase hours or minutes also will decrease

ITWhisperer · ‎07-12-2023

| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats max(time) as latest_time
| where time >= latest_time

Kirthika · ‎07-12-2023

Thank you @ITWhisperer . Can you please help me with where should i add those lines you mentioned

ITWhisperer · ‎07-12-2023

Try something like this

index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats global=f max(time) as latest_time by Device_ID
| where time >= latest_time

Kirthika · ‎07-25-2023

Hi @ITWhisperer ,

| streamstats global=f max(time) as latest_time by Device_ID
| where time >= latest_time

This is giving accurate results. But when i enable scheduled search, it is running in fast mode. In fast mode, I found few events are missing. Is there any alternate way for this command

How to use map command to run for each deviceid?

field extraction

metadata

other

regex

search job inspector

stats

subsearch

transaction

tstats

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)