Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a query to get the result clusterwise

iqbalintouch
Path Finder
‎04-14-2018 08:48 PM

So my base Query to check sell is below:-

index=myapp sourcetype=my_sourcetype host="*myhost*" "Logger*" AND "sold event" vertical=H

Now, I need to write an efficient and fast query which shows cluster-wise sell?

like my_host1 - my_host3 is cluster 1
AND my_host4 - my_host6 is cluster 2
AND my_host7 - my_host9 is cluster 3

0 Karma
Reply

DalJeanis
Legend
‎04-15-2018 04:41 PM

Okay, you've almost got it. One problem you are running into now is probably because you are using incorrect syntax for your comparisons.

When you are running a search, you can use * at the end of a literal to tell splunk to match anything else that follows.

| search host="myhost_01*"

However, that comparison is not valid as a normal boolean test. In a boolean, you need to use one of the eval functions such aslike(variable,SQLPattern) or match(variable,RegexPattern), as per this...

| eval cluster=case(like(host,"my_host01%"), "FirstValue", ... )

...or this...

| eval cluster=case(match(host,"my_host01.*"), "FirstValue", ... )
0 Karma
Reply

p_gurav
Champion
‎04-14-2018 09:55 PM

Can you write eval:

| eval cluster=case(host=host1 OR host=host2 OR host=host3, "cluster1") and so on...
0 Karma
Reply

iqbalintouch
Path Finder
‎04-14-2018 10:09 PM

@p_gurav Thank you.

do I need to write eval in new line for each cluster? My requirement is actually something like below with base search query.

| timechart partial=f span=15m count as current_count
| streamstats window=10 current=f avg(current_count) as trend
| eval cluster=case(host=my_host01* OR host=my_host02 OR host=my_host03*, "cluster1")
| eval cluster=case(host=my_host04* OR host=my_host05* OR host=my_host06*, "cluster2")
| eval cluster=case(host=my_host07* OR host=my_host08 OR host=my_host09, "cluster3")
| eval trend=round(trend)
| eval difference=current_count-trend
| eval diff_percent=round((difference)/trend*100)
| eval hr=strftime(_time, "%H")
| table _time trend current_count difference diff_percent

0 Karma
Reply

iqbalintouch
Path Finder
‎04-14-2018 10:10 PM

sorry I am not an expert in Splunk and learning basic of it. Thank you.

0 Karma
Reply

p_gurav
Champion
‎04-14-2018 11:07 PM

You can write one eval:

index=myapp sourcetype=my_sourcetype host="myhost" "Logger*" AND "sold event" vertical=H
| timechart partial=f span=15m count as current_count
| streamstats window=10 current=f avg(current_count) as trend
| eval cluster=case(host=my_host01* OR host=my_host02* OR host=my_host03*, "cluster1", host=my_host04* OR host=my_host05* OR host=my_host06*, "cluster2", host=my_host07* OR host=my_host08 OR host=my_host09, "cluster3")
| eval trend=round(trend)
| eval difference=current_count-trend
| eval diff_percent=round(difference/trend*100)
| eval hr=strftime(_time, "%H") 
| table _time trend current_count difference diff_percent cluster
0 Karma
Reply

iqbalintouch
Path Finder
‎04-15-2018 12:29 AM

@p_gurav

getting error: "Error in 'eval' command: The expression is malformed. Expected )"

checked the query but didn't see anything is missing

0 Karma
Reply

Sukisen1981
Champion
‎04-15-2018 01:03 AM

Hi,

host is a string just change your first eval to - eval cluster=case(host="my_host01*" OR host="my_host02*" OR host="my_host03*", "cluster1", host="my_host04*" OR host="my_host05*" OR host="my_host06*", "cluster2", host="my_host07*" OR host="my_host08" OR host="my_host09", "cluster3")

0 Karma
Reply

iqbalintouch
Path Finder
‎04-15-2018 06:10 PM

Thank you @Sukisen1981

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...