Splunk Search

help on a stats command with a filter token

jip31
Builder

hello

I use the search below which works fine

 

 

`fiability` 
| fields host Logfile SourceName ProductName SITE DEPARTMENT RESPONSIBLE_USER
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)  
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, last(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
| rename ProductName as Product 
| sort -"Number of crashes"

 

 

 The problem I have is in my xml file because I use token filters on DEPARTMENT and RESPONSIBLE_USER fields

Since I just use a stats by ProductName, the RESPONSIBLE_USER related to the ProductName is just the last RESPONSIBLE_USER of the productName and not all the RESPONSIBLE_USER for a specific ProductName

So when I use the token for the RESPONSIBLE_USER in my dashboard, it doesn't reflect the exact reality

And if I do a stats by ProductName RESPONSIBLE_USER it's not good because I have many count for a same ProductName

What I need is to have a single count for a same ProductName and in the same time having all the ProductName count for a same RESPONSIBLE_USER (it means something else than the last RESPONSIBLE_USER for a ProductName...)

Could you help me please?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the values function of stats to get all values of RESPONSIBLE_USER

...
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
...

.

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

jip31
Builder

I have already done this and it works if I put the token before the stats command

| search ProductName="browser_*" AND RESPONSIBLE_USER=*ABCDE* 
| stats last(SITE) as SITE, values(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 

but.....

For this search, I use a scheduled search

So it means that I use my filter token after the loadjob command

| loadjob savedsearch="admin:XXXX:YYYYY" 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$ 

 And in this case I am unable to filter on the good RESPONSIBLE_USER....

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The values function may produce a multi-value field that requires using the mvfind function to search.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

jip31
Builder

Have you an example please?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!