Splunk Search

help on a stats command with a filter token

jip31
Motivator

hello

I use the search below which works fine

 

 

`fiability` 
| fields host Logfile SourceName ProductName SITE DEPARTMENT RESPONSIBLE_USER
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)  
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, last(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
| rename ProductName as Product 
| sort -"Number of crashes"

 

 

 The problem I have is in my xml file because I use token filters on DEPARTMENT and RESPONSIBLE_USER fields

Since I just use a stats by ProductName, the RESPONSIBLE_USER related to the ProductName is just the last RESPONSIBLE_USER of the productName and not all the RESPONSIBLE_USER for a specific ProductName

So when I use the token for the RESPONSIBLE_USER in my dashboard, it doesn't reflect the exact reality

And if I do a stats by ProductName RESPONSIBLE_USER it's not good because I have many count for a same ProductName

What I need is to have a single count for a same ProductName and in the same time having all the ProductName count for a same RESPONSIBLE_USER (it means something else than the last RESPONSIBLE_USER for a ProductName...)

Could you help me please?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the values function of stats to get all values of RESPONSIBLE_USER

...
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
...

.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

I have already done this and it works if I put the token before the stats command

| search ProductName="browser_*" AND RESPONSIBLE_USER=*ABCDE* 
| stats last(SITE) as SITE, values(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 

but.....

For this search, I use a scheduled search

So it means that I use my filter token after the loadjob command

| loadjob savedsearch="admin:XXXX:YYYYY" 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$ 

 And in this case I am unable to filter on the good RESPONSIBLE_USER....

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The values function may produce a multi-value field that requires using the mvfind function to search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

Have you an example please?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...