Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a stats command with a filter token

jip31
Motivator
‎03-30-2021 01:17 AM

hello

I use the search below which works fine

 

 

`fiability` 
| fields host Logfile SourceName ProductName SITE DEPARTMENT RESPONSIBLE_USER
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)  
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, last(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
| rename ProductName as Product 
| sort -"Number of crashes"

 

 

 The problem I have is in my xml file because I use token filters on DEPARTMENT and RESPONSIBLE_USER fields

Since I just use a stats by ProductName, the RESPONSIBLE_USER related to the ProductName is just the last RESPONSIBLE_USER of the productName and not all the RESPONSIBLE_USER for a specific ProductName

So when I use the token for the RESPONSIBLE_USER in my dashboard, it doesn't reflect the exact reality

And if I do a stats by ProductName RESPONSIBLE_USER it's not good because I have many count for a same ProductName

What I need is to have a single count for a same ProductName and in the same time having all the ProductName count for a same RESPONSIBLE_USER (it means something else than the last RESPONSIBLE_USER for a ProductName...)

Could you help me please?

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-09-2021 09:03 AM 
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2021 05:17 AM

Use the values function of stats to get all values of RESPONSIBLE_USER

...
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
...

.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-31-2021 05:19 AM

I have already done this and it works if I put the token before the stats command

| search ProductName="browser_*" AND RESPONSIBLE_USER=*ABCDE* 
| stats last(SITE) as SITE, values(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName

but.....

For this search, I use a scheduled search

So it means that I use my filter token after the loadjob command

| loadjob savedsearch="admin:XXXX:YYYYY" 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$

 And in this case I am unable to filter on the good RESPONSIBLE_USER....

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2021 06:48 AM

The values function may produce a multi-value field that requires using the mvfind function to search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-09-2021 03:02 AM

Have you an example please?

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-09-2021 09:03 AM 
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
li.common.scroll-to.top