Splunk Query Help- Summary index - Compare all dat...

harkirat9712 · ‎09-15-2019

Hi Team,

I am using the below command to get the last 4 weeks of data solutionType=EML.

index=sample1 "com.URL.connector.filter" "uri=*/sample/execute" "responseStatus=200" earliest=-35d@d latest=-6h@h | extract kvdelim=":" pairdelim="{,}" | search solutionType=EML | timechart span=6h count by solutionType | timewrap 1w
This above command will give me 4 weeks data to compare for solutionType=EML.

With the above output data, I further pipe the command to get some sample data crossing threshold.

eval maxc=max(EML_4weeks_before, EML_3weeks_before, EML_2weeks_before,EML_1week_before)| eval minc=min(EML_4weeks_before, EML_3weeks_before, EML_2weeks_before,EML_1week_before) | eval avg_after_outlier=round((((EML_4weeks_before + EML_3weeks_before + EML_2weeks_before + EML_1week_before) - (minc + maxc)) / 2),0) | eval var_percentage=abs(round(((EML_latest_week - avg_after_outlier)/avg_after_outlier)*100,2)) | rename avg_after_outlier as EML_previous_week | fields _time, EML_previous_week, EML_latest_week, var_percentage | sort - _time | head 1 | where var_percentage > 99 |

My requirement needs to get this Splunk query for all solutionType=*.

we have around 20 solutionType.

for example : CHAT, CALL, COM, CIN

Could you help me with the single Splunk query for solutionType=*?

Thanks

Splunk Query Help- Summary index - Compare all data of - solutionType=*

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation