Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to find the right query to capture trend

Khanu89
Path Finder
‎01-16-2024 04:27 PM

Hello - I'd like to start with thanking the community for reviewing and helping! 

Problem Statement: I have appt data from multiple clinical locations in Splunk with different types statues. I am trying to create a dashboard that would show trends in appts requests to see if we're gaining pts or losing them, what days are the busiest, what days are the slowest. 

Query:

index="index" cluster_id="*" dump_info:98
| spath output=log path=log
| rex field=log ".*\{\'name\'\:\s\'(?<name>.*)\'\,\s\'service_type\'\:\s\'(?<service_type>.*)\'\,\s\'status\'\:\s\'(?<status>.*)\'\,\s\'start\'\:\s\'(?<start>.*)\'\,\s\'lastUpdated\'\:\s\'(?<lastUpdated>.*)\'\,\s\'date\'\:\s\'(?<date>.*)\'\}"
| search name="*" AND status="*" AND start="*"
| dedup name service_type status start lastUpdated date
| eval startdate=strftime(strptime(start,"%Y-%m-%dT%H:%M:%SZ"),"%Y-%m-%d"), today=strftime(now(),"%Y-%m-%d")
| where startdate=today
| table name, status
| stats count(status) as status_count, values(*) as * by name, status
Labels (5)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2024 01:23 AM

Firstly, since log seems to contain JSON, why not use spath with input=log to extract the fields.

Secondly, there is no need to search for your fields equal to "*" (which presumably you are doing to remove events with null values for these fields?), as the dedup will do this for you.

Thirdly, perhaps you should consider just converting the start to an epoch time with strptime() as you have already done, then use timechart span=1d

Finally, this might have been easier to answer if you had provided some anonymised sample events so we can see what you are working with.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...