Splunk Search

Search by values in field

nivethainspire_
Explorer

 

In the below table, I was to search by field "Core Content" where "Core Content" should take top 2 highest value. 

Core ContentCountStatusFlag
42682223NRed
42671794NYellow
4266305YYellow
426590YRed
426819YGreen
426363NGreen
4262133YRed
426134NRed
426026NYellow
 4768  

 

The output I expect is,

Core ContentCountStatusFlag
42682223NRed
42671794NYellow
426819YGreen

 

All other rows I have to take as Outdated. 

 

Labels (2)
0 Karma

nivethainspire_
Explorer

Basically I want to run the below query

index=s_cnn sourcetype=S_network | fillnull value="00" Com | fillnull value="" | search Status="Reporting" Form!="VP" Form!="VI" | search Form="*" Group="*" Env="*" OS="*" Company="*"  "Core Content"="4283.0" OR "Core Content"="4286.0" | sort "Core Content"

Instead of explicitly hardcoding the values for "Core Content", I want them to take the top 2 values of "Core Content" 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this query.  The main difference is the use of single quotes.  In Splunk, double quotes denote a string while single quote denote a field name.

index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*" ("Core Content"="4283.0" OR "Core Content"="4286.0") 
| fillnull value="00" Com 
| fillnull value="" 
| sort 2 - 'Core Content'
---
If this reply helps you, Karma would be appreciated.
0 Karma

nivethainspire_
Explorer

Not working for me. 

 

index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*"
| fillnull value="00" Com 
| fillnull value="" |timechart span=1d count("Core Content") by "Core Content"|sort 2 - "Core Content"

 

 

Its not sorting, I get the below output,

 
 
_time5276527942804284428552865287OTHER
12/15/2020262026912816412681149
12/16/202000000000

 

But I want to get as below,

_time52865287
12/15/202016412681
12/16/202000

 

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

@nivethainspire_, you can use below query,

| stats list(Count) as Count list(Status) as Status list(Flag) as Flag by "Core Content" 
| sort 2 - "Core Content"
| eval lines=mvzip(Count,Status), lines=mvzip(lines,Flag)
| mvexpand lines
| rex field=lines "(?<Count>[^,]+),(?<Status>[^,]+),(?<Flag>.*)"
| fields - lines
| sort - Count
| addcoltotals Count

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It didn't work because you used a different query.  timechart is a transforming command so you no longer have a "Core Content" field on which to sort.

I don't know how to achieve the results you desire.  Sorry.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Would you please clarify the requirements?  How is the sample input transformed into the sample output?

The text says "top 2 highest" but the example shows 3 results.

When measuring "highest" which column is to be used?  It is the raw values in that column or a sum based on some other field?

---
If this reply helps you, Karma would be appreciated.
0 Karma

nivethainspire_
Explorer

The Core Content has values ranging 4260 to 4268. I want show details of only top 2 Core Content that is 4268 and 4267. The core content updates often. Tomorrow it may take 4270.

So I want to query for a table where core content should search only top 2

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's one way to do that.

your search
| sort 2 - Count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...