Hello Splunkers!! I want compare 30 days, 60 days and 90 days of data in Splunk on the basis of APP_ID. As i have written the below SPL for 30 days. Please let me know the quick and correct appro...
See more...
Hello Splunkers!! I want compare 30 days, 60 days and 90 days of data in Splunk on the basis of APP_ID. As i have written the below SPL for 30 days. Please let me know the quick and correct approach to write the SPL for the comparion three periods of data. 1. Should i use the join command and use the same kind of serach for 60 & 90 days ? index="ito_snow" sourcetype=csv source="/opt/splunk/etc/apps/splunk_snow_tickets/bin/open_inc.sh" assignment_group="*" cmdb_ci=* earliest=-30d | rename cmdb_ci as Hostname state as incident_state number as Incident_Number | join type=outer Hostname [| inputlookup LocationMapping.csv | search Type=MFG OR Type=Mfg ] | join type=outer Hostname [| inputlookup abc.csv | search status="decom" | eval Hostname=lower(trim(target,"*"))] | join type=outer Hostname [| inputlookup yzN.csv | search SERVERS=* | rename SERVERS as Hostname] | where isnull(status) AND incident_state!="Resolved" | search OneSourceCode="*" | eval APP_ID=if(isnull(APP_ID),"Not Mapped",APP_ID), APP_NAME=if(isnull(APP_NAME),"Not Mapped",APP_NAME) , BU=if(isnull(BU),"Not Mapped",BU) | eval APP_DETAILS = APP_NAME."(".APP_ID.")" | table Incident_Number, BU, APP_DETAILS short_description, assignment_group,incident_state, Hostname, Location, OneSourceCode, Environment, Source, Type, , opened_at | stats dc(Incident_Number) as "incident Count" by APP_DETAILS