Splunk Search

status of held Data has to complete with in the day itself.

Anud
Path Finder

HI Team,

when the status is H and it has to complete within the day itself.
expected output for below sample data is count 2 completed overall within the day.

Thanks in Advance!

Sample output below:

_timeOVERALDTNUMSTATFMWLMCSOBEMRCERST
2024-03-07T01:50:00.000-05:00X202403075CCCHXXXXX
2024-03-07T03:30:10.000-05:00X202403075CCCPXXXXX
2024-03-07T03:40:07.000-05:00X202403075CCHHHHHHH
2024-03-07T06:10:14.000-05:00X202403075CCCIXXXXX
2024-03-07T07:10:16.000-05:00X202403075CCCHXXXXX
2024-03-07T07:30:17.000-05:00X202403075CCCIXXXXX
2024-03-07T08:20:18.000-05:00X202403075CCCCICICC
2024-03-07T08:30:22.000-05:00C202403075CCCCCCCCC
2024-03-07T02:20:01.000-05:00X202403075CCCXXXXXX
2024-03-07T03:30:10.000-05:00X202403075CCCPXXXXX
2024-03-07T03:40:07.000-05:00X202403075CCHHHHHHH
2024-03-07T07:10:16.000-05:00X202403075CCCHXXXXX
2024-03-07T07:30:17.000-05:00X202403075CCCIXXXXX
2024-03-07T08:20:18.000-05:00X202403075CCCCICICC
2024-03-07T08:30:22.000-05:00C202403075CCCCCCCCC
2024-03-07T010:30:10.000-05:00X202403075CCCPXXXXX
2024-03-07T22:40:07.000-05:00X202403075CCHHHHHHH
2024-03-07T22:10:16.000-05:00X202403075CCCHXXXXX
2024-03-07T23:30:17.000-05:00X202403085CCCIXXXXX
2024-03-07T00:20:18.000-05:00X202403085CCCCICICC
2024-03-08T08:30:22.000-05:00C202403085CCCCCCCCC
Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

"when the status is H and it has to complete within the day itself." - how is this determined from the data?

0 Karma

Anud
Path Finder

comparing both _time and DT and the NUM (different num will be there). In the sample data i have same NUM.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You haven't really explained how you get to a count of 2 given your sample data. Please can you explain your process?

0 Karma

Anud
Path Finder


H status at 

2024-03-07T01:50:00.000-05:00X20240307
2024-03-07T03:40:07.000-05:00X20240307


C status at 

2024-03-07T08:30:22.000-05:00C20240307
2024-03-07T08:30:22.000-05:00C20240307



So here count 2 

One more H status at 

2024-03-07T22:40:07.000-05:00X20240307


But its not completed within the day

2024-03-08T08:30:22.000-05:00C20240308



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So why not just count the C's in one day?

0 Karma

Anud
Path Finder

We need to know particularly about how many H status were coming to C within the day(12AM to11:59PM).

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How do you determine what the day is because in your example DT doesn't always equate to the date shown in _time?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming DT is the date you want to use and you already have your data in this format, try this

| untable DT category state
| where state="H" or (category="OVERAL" and state="C")
| streamstats window=1 current=f values(state) as previous by DT
| where state="C" and previous="H"
| stats count

Anud
Path Finder

Thanks for your query!
I have applied logic along with query, it working as expected.
please let me know earliest and latest logic for 12:00 AM to 11:59PM.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am glad it works - what does your query about earliest and latest mean?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...