Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extracting events based on certain conditions

bhavneeshvohra
Engager
‎08-13-2019 12:34 AM

HI all,

I am stuck in a scenario which has multiple conditions and i am unable to resolve it. Kindly Help!!!

I have data as follows:-
vin, cid, violationstatus,
abc,45,45
def ,56,76

i want that if violationstatus<50 records 1-50 should be considered for dashboard generation
if violationstatus>50 records 50-100 should be considered for dashboard generation

HOw to do it please help.?

Tags (1)
0 Karma
Reply

bhavneeshvohra
Engager
‎08-13-2019 12:35 AM

***edit*********

i want that if violationstatus is lessthan 50 records 1-50 should be considered for dashboard generation
i want that if violationstatus is greater than 50 records 50-100 should be considered for dashboard generation

0 Karma
Reply

jpolvino
Builder
‎08-13-2019 05:11 AM

If the condition violationstatus<50 then how do you know which records represent 1-50? Are they numbered or otherwise labeled?

0 Karma
Reply

Sukisen1981
Champion
‎08-13-2019 09:33 AM

hi @bhavneeshvohra as @jpolvino says, this is a tricky one.
You can always have a search query as the first query without displaying it and calculate violationstatus into a token under tag
BUT
what is your first 50 rows? Is it the default 'latest first' way that splunk shows events or is the earliest event , event #1.
Once you provide us that, the rest can be done in the manner I suggested above

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...