Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using input file but only want select results returned

bullbasin
Engager
a month ago

I have a dashboard where I have 4 multi select boxes and a input file with all possible results for each app.  When there are no results for an app it is sent as a 100%.  Problem is that the results have all apps and ignore the multi-select because of the input file.  Below is the code....

data.environment.application data.environment.environment data.environment.stack data.componentId
app1 prod AZ Acomp
app1 prod AZ Bcomp
app2 uat AW Zcomp
app2 uat AW Ycomp
app2 uat AW Xcomp
app3 prod GC Mcomp

 

index=MINE data.environment.application="app2" data.environment.environment="uat"
| eval estack="AW"
| fillnull value="uat" estack data.environment.stack
| where 'data.environment.stack'=estack
| streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId
| eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False")
| transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m
| stats sum(duration) as downtime by data.componentId
| inputlookup append=true all_env_component.csv
| fillnull value=0
| addinfo
| eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0)
| rename data.componentId AS Component, avail AS Availability
| fillnull value=100 Availability
| dedup Component
| table Component, Availability

Thank you in advance for the help.

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
a month ago

I cannot get a sense of this question.

  1. What is that data table at the beginning of this post supposed to be?
  2. Right before inputlookup, you have a stats command that reduces data fields to downtime and data.componentId.  I assume that everything above inputlook is working as expected.  If this is the case, please just post sample/mock values of downtime and data.componentId and ignore anything about app and input selection. (See below.)
  3. What fields (columns) are in this all_env_component.csv file? And how is this file useful to what you wanted in the end?
  4. What exact is it that you wanted in the end?  By this, I mean what does "4 multi select boxes" have to do with this question?  Your search does not use a single token.  This means that none of these selections should have any effect of results.

In short, you need to post data input - you can post just sample/mock values downtime- data.componentId pairs; explain what is in that lookup file, provide some sample/mock values.  Then, explain what you are trying to do after that inputlookup, illustrate what your expected results look like from the sample/mock input values, and the logic between the input and desired results.

These are the basis of an answerable question in a forum about data analytics.

0 Karma
Reply

bullbasin
Engager
4 weeks ago

any further input after answering your questions?

 

0 Karma
Reply

bullbasin
Engager
a month ago

Here are  the answers to your questions....

1. It is the input file for the apps, 

all_env_component.csv

2. Yes it works correctly.

 data.componentIddowntime
Ycomp322.186934
Zcomp300.23822
Xcomp 645.415504

 

3.  The fields are, 

data.environment.applicationdata.environment.environmentdata.environment.stackdata.componentId

 

4. This is an availability dashboard.  The initial problemwas aby data.componentId that had 0 downtime would not show in the results, NULL.  This was fixed by adding an input file but then it was showing all the data.componentId and downtime.  The desired result is to just display only the  data.componentId and downtime for the single data.environment.application choosen in the drop down.  Below is the original query that would not display anything with 100% uptime.

 index=MINE data.environment.application="app2" data.environment.environment="uat"
| eval estack="AW"
| fillnull value="uat" estack data.environment.stack
| where 'data.environment.stack'=estack
| streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId
| eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False")
| transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m
| stats sum(duration) as downtime by data.componentId
| addinfo
| eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0)
| rename data.componentId AS Component, avail AS Availability
| table Component, Availability

 

0 Karma
Reply

bullbasin
Engager
4 weeks ago

Let me know if anything else is needed

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...