Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a query to get the result clusterwise

iqbalintouch
Path Finder
‎04-14-2018 08:48 PM

So my base Query to check sell is below:-

index=myapp sourcetype=my_sourcetype host="*myhost*" "Logger*" AND "sold event" vertical=H

Now, I need to write an efficient and fast query which shows cluster-wise sell?

like my_host1 - my_host3 is cluster 1
AND my_host4 - my_host6 is cluster 2
AND my_host7 - my_host9 is cluster 3

0 Karma
Reply

DalJeanis
Legend
‎04-15-2018 04:41 PM

Okay, you've almost got it. One problem you are running into now is probably because you are using incorrect syntax for your comparisons.

When you are running a search, you can use * at the end of a literal to tell splunk to match anything else that follows.

| search host="myhost_01*"

However, that comparison is not valid as a normal boolean test. In a boolean, you need to use one of the eval functions such aslike(variable,SQLPattern) or match(variable,RegexPattern), as per this...

| eval cluster=case(like(host,"my_host01%"), "FirstValue", ... )

...or this...

| eval cluster=case(match(host,"my_host01.*"), "FirstValue", ... )
0 Karma
Reply

p_gurav
Champion
‎04-14-2018 09:55 PM

Can you write eval:

| eval cluster=case(host=host1 OR host=host2 OR host=host3, "cluster1") and so on...
0 Karma
Reply

iqbalintouch
Path Finder
‎04-14-2018 10:09 PM

@p_gurav Thank you.

do I need to write eval in new line for each cluster? My requirement is actually something like below with base search query.

| timechart partial=f span=15m count as current_count
| streamstats window=10 current=f avg(current_count) as trend
| eval cluster=case(host=my_host01* OR host=my_host02 OR host=my_host03*, "cluster1")
| eval cluster=case(host=my_host04* OR host=my_host05* OR host=my_host06*, "cluster2")
| eval cluster=case(host=my_host07* OR host=my_host08 OR host=my_host09, "cluster3")
| eval trend=round(trend)
| eval difference=current_count-trend
| eval diff_percent=round((difference)/trend*100)
| eval hr=strftime(_time, "%H")
| table _time trend current_count difference diff_percent

0 Karma
Reply

iqbalintouch
Path Finder
‎04-14-2018 10:10 PM

sorry I am not an expert in Splunk and learning basic of it. Thank you.

0 Karma
Reply

p_gurav
Champion
‎04-14-2018 11:07 PM

You can write one eval:

index=myapp sourcetype=my_sourcetype host="myhost" "Logger*" AND "sold event" vertical=H
| timechart partial=f span=15m count as current_count
| streamstats window=10 current=f avg(current_count) as trend
| eval cluster=case(host=my_host01* OR host=my_host02* OR host=my_host03*, "cluster1", host=my_host04* OR host=my_host05* OR host=my_host06*, "cluster2", host=my_host07* OR host=my_host08 OR host=my_host09, "cluster3")
| eval trend=round(trend)
| eval difference=current_count-trend
| eval diff_percent=round(difference/trend*100)
| eval hr=strftime(_time, "%H") 
| table _time trend current_count difference diff_percent cluster
0 Karma
Reply

iqbalintouch
Path Finder
‎04-15-2018 12:29 AM

@p_gurav

getting error: "Error in 'eval' command: The expression is malformed. Expected )"

checked the query but didn't see anything is missing

0 Karma
Reply

Sukisen1981
Champion
‎04-15-2018 01:03 AM

Hi,

host is a string just change your first eval to - eval cluster=case(host="my_host01*" OR host="my_host02*" OR host="my_host03*", "cluster1", host="my_host04*" OR host="my_host05*" OR host="my_host06*", "cluster2", host="my_host07*" OR host="my_host08" OR host="my_host09", "cluster3")

0 Karma
Reply

iqbalintouch
Path Finder
‎04-15-2018 06:10 PM

Thank you @Sukisen1981

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...