Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help with conditions

kavekon
New Member
‎10-07-2013 11:08 PM

I Have a db query that returns data as below.
Now i want
1. to get a search result where all the rows where rank <11 should appear
2. Once i get the data i want to show a chart of concurrent program execution time over all the weeks each concurrent program in one chart
3. Another charts of the top 10 ConcurrentProgramName on x axis and etime on y axis per week

WEEK rank ConcurrentProgramName ETIME
1-Oct 2 Move Order Pick Slip 86379
1-Oct 3 Planning Manager 86360
4-Sep 4 Report Set 86347
2-Oct 5 Planning Manager 863394
4-Sep 6 Planning Manager 86316
3-Oct 7 Planning Manager 86294
3-Oct 8 Planning Manager 86247
1-Oct 19 Timesheet Data Transfer to EE Form 70084

Please help me get the conditions asap.

|dbquery "select WEEK,rank,ConcurrentProgramName,Etime from conTab"

Tags (1)
0 Karma
Reply

Ayn
Legend
‎10-08-2013 01:50 AM

I just want to point out that trying to command the community to do things for you is rather rude. Splunkbase users do not get paid for contributing, so any help you get is because someone is kind enough to take their time to provide it. Please have that in mind when writing a question.

Reply

MuS
SplunkTrust
SplunkTrust
‎10-08-2013 12:00 AM

Hi kavekon,

let me try to help you, but you almost answered the question yourself....

  1. to get a search result where all the rows where rank <11 should appear, append the following to your search:
    ... | where rank < 11
  2. Once I get the data, I want to show a chart of concurrent program execution time over all the weeks each concurrent program in one chart, append the following to your search:
    ... | chart values(ETIME) over WEEK by ConcurrentProgramName
    If this fails because of the WEEK, use instead
    ... | timechart span=1w values(ETIME) by ConcurrentProgramName
  3. Another charts of the top 10 ConcurrentProgramName on x axis and etime on y axis per week, use this search (top will return by default the top 10 of the provided field) and modify the report the match your request:
    ... | top ConcurrentProgramName | chart values(ETIME) values(ConcurrentProgramName)

hope this helps to get you started...

cheers, MuS

Reply

MuS
SplunkTrust
SplunkTrust
‎10-08-2013 03:02 AM

Hi kavekon, as I wrote my examples will get you started. Since I don't have your data available nor know what exactly you want to achieve, this is simply try and error. But ... | timechart span=1w values(ETIME) by ConcurrentProgramName will for sure work and if you need values for WEEK in the 3rd example, simply add values(WEEK) to the search.

0 Karma
Reply

kavekon
New Member
‎10-08-2013 02:09 AM

Hi MuS

I have tried as suggested however all 2 answers did not give me the required results.Please help

2....| timechart values(ETIME) over WEEK by ConcurrentProgramName or ... | timechart span=1w values(ETIME) by ConcurrentProgramName

getting the error:
Error in 'timechart' command: The specifier 'over' is invalid.It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.

3....| top ConcurrentProgramName | chart values(ETIME) values(ConcurrentProgramName)
does not return the values per week

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...