Hi Team,

I am using the below command to get the last 4 weeks of data solutionType=EML.


index=sample1 "com.URL.connector.filter" "uri=*/sample/execute" "responseStatus=200" earliest=-35d@d latest=-6h@h | extract kvdelim=":" pairdelim="{,}" | search solutionType=EML | timechart span=6h count by solutionType | timewrap 1w

This above command will give me 4 weeks data to compare for solutionType=EML.

With the above output data, I further pipe the command to get some sample data crossing threshold.


eval maxc=max(EML_4weeks_before, EML_3weeks_before, EML_2weeks_before,EML_1week_before)| eval minc=min(EML_4weeks_before, EML_3weeks_before, EML_2weeks_before,EML_1week_before) | eval avg_after_outlier=round((((EML_4weeks_before + EML_3weeks_before + EML_2weeks_before + EML_1week_before) - (minc + maxc)) / 2),0) | eval var_percentage=abs(round(((EML_latest_week - avg_after_outlier)/avg_after_outlier)*100,2)) | rename avg_after_outlier as EML_previous_week | fields _time, EML_previous_week, EML_latest_week, var_percentage | sort - _time | head 1 | where var_percentage > 99 |


My requirement needs to get this Splunk query for all solutionType=*.

we have around 20 solutionType.

for example : CHAT, CALL, COM, CIN

Could you help me with the single Splunk query for solutionType=*?

Thanks