Hello Splunkers!!
As per the below search you can see we have used join commands to get the results from same index & sourcetype. Due to multiple join commands the query become slow. Please help me...
See more...
Hello Splunkers!!
As per the below search you can see we have used join commands to get the results from same index & sourcetype. Due to multiple join commands the query become slow. Please help me how can I use single join command to get the result from all the fields "| fields - Total_Orders, Errors, Technical_Error, Operational_Error" <search>
| join max=0 _time
[| search ((index=* OR index=_*) index=abc sourcetype=abc)
| fields + _time, host, source, sourcetype, Active, ErrorCode, ErrorDescription, ErrorDuration, ErrorId, From, Id, Location, ModuleId, OperationalWeighingFactor, ShuttleId, TechnicalWeighingFactor, TraceFlags, TraceId, TraceVersion, Version, date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, index, Recoverable
| eval weeknum=strftime('_time',"%V")
| eval date_year=strftime('_time',"%Y"), date_month=strftime('_time',"%B"), day_week=strftime('_time',"%A"), date_mday=strftime('_time',"%d"), date_hour=strftime('_time',"%H"), date_minute=strftime('_time',"%M")
| search (date_year="*" date_month="*" weeknum="*" day_week="*" date_hour="*" date_minute="*" ShuttleId=*)
| fields + Id, _time, ErrorId, ErrorDescription
| table ErrorId, _time
| timechart span="1d@d1" count(ErrorId) as "Errors"]
| sort 0 _time
| fillnull Total_Orders Errors value="0"
| eval Total_Error_Per_10000_Order=round(((Errors / Total_Orders) * 10000),0)
| join max=0 _time
[| search ((index=* OR index=_*) index=abc sourcetype=abc)
| fields + _time, host, source, sourcetype, Active, ErrorCode, ErrorDescription, ErrorDuration, ErrorId, From, Id, Location, ModuleId, OperationalWeighingFactor, ShuttleId, TechnicalWeighingFactor, TraceFlags, TraceId, TraceVersion, Version, date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, index, Recoverable
| eval weeknum=strftime('_time',"%V")
| eval date_year=strftime('_time',"%Y"), date_month=strftime('_time',"%B"), day_week=strftime('_time',"%A"), date_mday=strftime('_time',"%d"), date_hour=strftime('_time',"%H"), date_minute=strftime('_time',"%M")
| search (date_year="*" date_month="*" weeknum="*" day_week="*" date_hour="*" date_minute="*" ShuttleId=*)
| fields + Id, _time, ErrorId, ErrorDescription, TechnicalWeighingFactor
| rename TechnicalWeighingFactor as Technical_Error
| table _time, ErrorId, Technical_Error
| search Technical_Error>0.01
| timechart span="1d@d1" count(Technical_Error) as "Technical_Error"
| fillnull Technical_Error value="0"]
| fillnull Total_Orders Technical_Error value="0"
| eval Technical_Error_Per_10000_Order=round(((Technical_Error / Total_Orders) * 10000),0)
| join max=0 _time
[| search ((index=* OR index=_*) index=abc sourcetype=abc)
| fields + _time, host, source, sourcetype, Active, ErrorCode, ErrorDescription, ErrorDuration, ErrorId, From, Id, Location, ModuleId, OperationalWeighingFactor, ShuttleId, TechnicalWeighingFactor, TraceFlags, TraceId, TraceVersion, Version, date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, index, Recoverable
| eval weeknum=strftime('_time',"%V")
| eval date_year=strftime('_time',"%Y"), date_month=strftime('_time',"%B"), day_week=strftime('_time',"%A"), date_mday=strftime('_time',"%d"), date_hour=strftime('_time',"%H"), date_minute=strftime('_time',"%M")
| search (date_year="*" date_month="*" weeknum="*" day_week="*" date_hour="*" date_minute="*" ShuttleId=*)
| fields + Id, _time, ErrorId, ErrorDescription, OperationalWeighingFactor
| rename OperationalWeighingFactor as Operational_Error
| table _time, ErrorId, Operational_Error
| search Operational_Error>0.01
| timechart span="1d@d1" count(Operational_Error) as "Operational_Error"
| fillnull Operational_Error value="0"]
| fillnull Total_Orders Operational_Error Technical_Error value="0"
| eval Operational_Error_Per_10000_Order=round(((Operational_Error / Total_Orders) * 10000),0)
| fields - Total_Orders, Errors, Technical_Error, Operational_Error