Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

append command- more efficient query

akawacz
Path Finder
‎09-22-2015 03:15 AM

Hi,

could you help me to write more efficient query? My is really time consuming.

Example.

--First part cacluate backlog for June, second for July and third for August

index=A
| eval MONTH = relative_time(now(),"-7d@mon-3mon")
| eval BACKLOG = if(CREATE_INCIDENT<REPORT_MONTH AND CLOSED_INCIDENT>MONTH ,1,0)
| where BACKLOG =1

| append [search index=A
| eval MONTH = relative_time(now(),"-7d@mon-2mon")
| eval BACKLOG = if(CREATE_INCIDENT<REPORT_MONTH AND CLOSED_INCIDENT>MONTH ,1,0)
| where BACKLOG =1]

| append [search index=A
| eval MONTH = relative_time(now(),"-7d@mon-1mon")
| eval BACKLOG = if(CREATE_INCIDENT<REPORT_MONTH AND CLOSED_INCIDENT>MONTH ,1,0)
| where BACKLOG =1]

stats dc(Ticket) as BACKLOG_COUNT by MONTH

in A index we have filed Ticket.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-22-2015 09:25 AM

I'm sure you missed the specific earliest and latest for each query, So I will include them in my answer. Try something like this

index=A earliest=-7d@mon latest=-7d@mon-3mon
| bucket span=1mon _time 
| eval BACKLOG = if(CREATE_INCIDENT<REPORT_MONTH AND CLOSED_INCIDENT>MONTH ,1,0) 
| stats sum(BACKLOG) as BACKLOG_COUNT by _time | eval Month=strftime(_time,"%Y-%m") | table Month BACKLOG_COUNT

Update
Give this a try

index=A earliest=-7d@mon latest=-7d@mon-3mon CREATE_INCIDENT<REPORT_MONTH
| eval MONTH= if(CLOSED_INCIDENT>relative_time(now(),"-7d@mon-3mon"),strftime(relative_time(now(),"-7d@mon-3mon"),"%Y-%m"),"") 
| eval MONTH= if(CLOSED_INCIDENT>relative_time(now(),"-7d@mon-2mon"),MONTH." ".strftime(relative_time(now(),"-7d@mon-2mon"),"%Y-%m"),MONTH)
| eval MONTH= if(CLOSED_INCIDENT>relative_time(now(),"-7d@mon-1mon"),MONTH." ".strftime(relative_time(now(),"-7d@mon-1mon"),"%Y-%m"),MONTH)
| makemv MONTH | stats count by by MONTH

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-22-2015 09:25 AM

I'm sure you missed the specific earliest and latest for each query, So I will include them in my answer. Try something like this

index=A earliest=-7d@mon latest=-7d@mon-3mon
| bucket span=1mon _time 
| eval BACKLOG = if(CREATE_INCIDENT<REPORT_MONTH AND CLOSED_INCIDENT>MONTH ,1,0) 
| stats sum(BACKLOG) as BACKLOG_COUNT by _time | eval Month=strftime(_time,"%Y-%m") | table Month BACKLOG_COUNT

Update
Give this a try

index=A earliest=-7d@mon latest=-7d@mon-3mon CREATE_INCIDENT<REPORT_MONTH
| eval MONTH= if(CLOSED_INCIDENT>relative_time(now(),"-7d@mon-3mon"),strftime(relative_time(now(),"-7d@mon-3mon"),"%Y-%m"),"") 
| eval MONTH= if(CLOSED_INCIDENT>relative_time(now(),"-7d@mon-2mon"),MONTH." ".strftime(relative_time(now(),"-7d@mon-2mon"),"%Y-%m"),MONTH)
| eval MONTH= if(CLOSED_INCIDENT>relative_time(now(),"-7d@mon-1mon"),MONTH." ".strftime(relative_time(now(),"-7d@mon-1mon"),"%Y-%m"),MONTH)
| makemv MONTH | stats count by by MONTH
0 Karma
Reply
Solved! Jump to solution

akawacz
Path Finder
‎09-23-2015 01:49 AM

This is really good but logic in my query is a bit different. Every block of query count backlog for specific month range + furter month if condtions are met (so duplicate data can be there).

e.g.
June block Created= <2015-Jun and Closed>2015-Jun
- June 1000
- July 200
- August 100
- total for JUNE - 1300

July block Created= <2015-Jul and Closed>2015-Jul
- July 1500
- August 100
- total for JULY 1600

August block Created= <2015-AUG and Closed>2015-AUG
- August 1800
- total 1800

Hope this make sense

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...