Want a table with two different inputs with differ...

Manasi25 · ‎12-06-2020

Hi

I have field values - A, B, C, D, E, F,G,H,I,J for one of applications. I need output as below.

Product Alert by Team1 Alert by Team2

AA Count(A, B,C,E,F,G,H,I,J) Count(D)

Same as different multiple products with different field values. Like --

Product Alert by Team1 Alert by Team2

AA Count(A, B,C,E,F,G,H,I,J) Count(D)

BB Count(MM ,AD,FG,TH,KL) Count(BB)

please help me on this query.

Note - I have same field name for all field values.

gcusello · ‎12-06-2020

Hi @Manasi25,

your need isn't so clear, also because it isn't clear if you want one alert or more alerts and whaytyou want to display when fired.

Anyway, my hint is to create an alert for each value or group values, depending onwhat you want to disply, in other words, run a search like this:

e.g. find the total count of events where your_field has value=A, B,C,E,F,G,H,I,J for each AA product and fire an alert when this count is greater than a threeshold (e.g. 10):ù

your_search (your_field=A OR your_field=B OR your_field=C OR your_field=E OR your_field=F OR your_field=G OR your_field=H OR your_field=I OR your_field=J)
| stats values(your_field) AS your_field count BY Product
| where count>10

with the same logic, you can creat an alert for the other conditions (e.g. count(D)):

your_search (your_field=D)
| stats values(your_field) AS your_field count BY Product
| where count>10

This solution permits also to send the alert message to the Team that needs it.

Ciao.

Giuseppe

Manasi25 · ‎12-09-2020

Thanks ! But i want both result in one table.

i have my query with me. please review below.

index= source1234

routingKey=routingTOC_PTS OR routingKey=routingPTS_SCTEAM OR routingKey=routingKeyPTS_ASP OR routingKey=routingKeyPTS_TOC_INFO OR routingKey=routingKeyPTS_NOC OR routingKey= routingKeyGMI_IT OR routingKey=routingdefault OR routingKey=routingPTS_DBA_RIMS OR routingKey=routingptssdba OR routingKey=routingRIMS_APP_TEST| top limit=50 routingKey

| stats sum(count) as count, avg(percent) as percent

| eval routingKey = "PTS"
| dedup incidentNumber

| append [ search routingKey=routingDA OR routingOra_DBA_IO OR routingKey=routingEngine OR routingKey=routingSE OR routingKey=routingTOC OR routingwaiting_room | top limit=50 routingKey

| stats sum(count) as count, avg(percent) as percent

|eval routingKey = "IA" ]

| addcoltotals labelfield=routingKey label=Total

| table routingKey, count, percent

Output of my query --

Product Count Percent

PTS count(all routing of PTS)

IA count(all routing of IA

So now, which i have highlighted that count i need in separate column and others in separate one in one result, Output should be like --

Product Count of TOC Count of others

PTS Count(routingTOC_PTS) Count (others routingKey)

IA Count(routingKey=routingTOC) Count(others routingKey)

Hope this understands my question.

gcusello · ‎12-22-2020

Hi @Manasi25,

i see an error in your search:

after the first stats command you cannot use "| dedup incidentNumber" because you haven't still this field.

After stats command you have only the fields in stats, in your case: count and percent.

Try to add "values(incidentNumber) AS incidentNumber" to your stats command and see if your have the waiting results.

Ciao.

Giuseppe

Manasi25 · ‎12-22-2020

@gcusello - any update?

Want a table with two different inputs with different product

table

timechart

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk