Re: extracting events based on certain conditions

bhavneeshvohra · ‎08-13-2019

HI all,

I am stuck in a scenario which has multiple conditions and i am unable to resolve it. Kindly Help!!!

I have data as follows:-
vin, cid, violationstatus,
abc,45,45
def ,56,76

i want that if violationstatus<50 records 1-50 should be considered for dashboard generation
if violationstatus>50 records 50-100 should be considered for dashboard generation

HOw to do it please help.?

bhavneeshvohra · ‎08-13-2019

***edit*********

i want that if violationstatus is lessthan 50 records 1-50 should be considered for dashboard generation
i want that if violationstatus is greater than 50 records 50-100 should be considered for dashboard generation

jpolvino · ‎08-13-2019

If the condition violationstatus<50 then how do you know which records represent 1-50? Are they numbered or otherwise labeled?

Sukisen1981 · ‎08-13-2019

hi @bhavneeshvohra as @jpolvino says, this is a tricky one.
You can always have a search query as the first query without displaying it and calculate violationstatus into a token under tag
BUT
what is your first 50 rows? Is it the default 'latest first' way that splunk shows events or is the earliest event , event #1.
Once you provide us that, the rest can be done in the manner I suggested above

extracting events based on certain conditions

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!