Hello fellow Splunkers, Pretty new to using case statements in Splunk and I've run into an odd problem that I have no clue how to resolve. I'm trying to get counts based on departments. In some cases we'd like to pull numbers for specific sub-departments within a broader department; ie; mathematics and mathematics - research and mathematics - analysis - etc... What I noticed is that whenever I try to get a total count for items that have child departments those counts get omitted from the parent department's total count. ie: let's say I have several departments, some will have sub-departments and others won't. From a numbers standpoint, I only need specific one's for the sub-departments. At the same time, I need to get numbers for parent and all child-depts that fall under that parent. mathematics mathematics - research mathematics - research adv mathematics - analysis mathematics - analysis tier2 mathematics - analysis tier3 mathematics - analysis tier4 english science |searchHere |eval deptSummary = case( dept LIKE "%mathematics - analysis%", "Mth_A", dept LIKE "%mathematics - analysis tier%", "Mth_A_t", dept LIKE "%english%", "Eng", dept LIKE "%mathematics%", "Mth", dept LIKE "%science%, ""Scn") |stats count(dept) by deptSummary The problem I've run into is that the parents counts don't include numbers for any that are captured by the other LIKE statements. So if I have: mathematics - 10 mathematics - research - 1 mathematics - research adv - 5 mathematics - analysis - 5 mathematics - analysis tier1 - 10 mathematics - analysis tier2 - 1 mathematics - analysis tier3 - 1 dept LIKE "%mathematics%", "Mth", --->would come out to a total of 33 dept LIKE "%mathematics - analysis%", "Mth_A", --> would come out to 17 dept LIKE "%mathematics - analysis tier%", "Mth_A_t", --> would come out to 12 What's happening is that counts captured by the LIKE statements with the sub-departments aren't included in the parent level LIKE statement. So if I cant to see the total for the parent department I'm left with just the events that didn't match any of the other LIKE statements. The counts for the departments which have no sub-departments are accurate, so it seems to just be a problem with the tiered matching. Any suggestions how to go about this? ... View more

Hi Splunkers, I was wondering if someone could shed some insight on whether this is even possible with Splunk, if so, what is the right approach to accomplish the following. I'm using dummy data as an example, shown below. We have data which we import and for the most part only has one or two fields populated at ingest time. What I'm trying to figure out is how to go about updating the key/value pairs for specific fields on a per event basis. Using the example below the first column will always be populated when we ingest the data. What I'd like to be able to do is as we discover additional values I'd like to be able to update the specific event with the new key/value. Let's say for example I have an event Milk and the only thing I know at ingest is the price. This would be the last event. I'd like to be able to go in and have the ability to populate the event with the quantity, vendor and date. All of which in the example below are blank initially. Is this something that is supported by Splunk? Thanks for the help in advanced. Type Vendor Count Price Date Muffin abc 7.0 4.99 2016-09-01 tart xyz 10.0 1.99 2016-09-01 eggs xyy 12.0 0.99 2016-09-01 milk 1.99 ... View more

Hello Splunk experts, Hoping someone can help get me in the right path. I am running a search where I would like to default values when certain sourcetypes do not return events. For the sake of an example I'll use tstats | tstats latest(_time) WHERE index=* (sourcetype=source1 OR sourcetype=source2 OR sourcetype=source3) by index host sourcetype |table host, sourcetype, latest(_time) Now, how can I force or create an N/A value when any of the defined sourcetypes in my search do not return any events? ie; let's say I have events for the source1 and source2, but no results come back for source3. Is there a way to default a value or better way to approach this? host1 source1 1471968565 host2 source2 1471968565 N/A source3 N/A Thanks for the help ... View more

Hello Splunkers, Hoping someone can help or point me in the right direction. I am trying to color code my single value string based on value ranges they fall under. Here is my XML. What I am trying to do is make the string RUNNING green and DOWN red. What am I missing here? I'm on version 6.4. Thanks for all the help in advance. <query>|stats count| fields - count | eval diff=2000| eval status=case(diff<=1500, "RUNNING", diff >1501, "DOWN") |rangemap field=status low=0-1500 severe=1501-9999</query> <earliest>0</earliest> <latest></latest> </search> <option name="classField">range</option> <option name="field">status</option> <option name="drilldown">none</option> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x65a637","0x555555"]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <option name="linkView">search</option> ... View more

Hello all, New to Splunk and been trying to figure out this for a while now. Not making much progress, so thought I'd ask the experts. I would like to count events for two fields grouped by another field. Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it. searchHere | stats count as total by cust_action, account | stats values(cust_action) AS action, values(total) by account This provides me something like shown below: account action total userA submitted 4 resubmitted 1 userB submitted 1 resubmitted 0 userC submitted 1 resubmitted 3 cancelled 1 What I would like to do is have the column name in the results be the value from cust_action field and put the count below each one by per account account submitted resubmitted cancelled userA 4 1 0 userB 1 0 0 userC 1 3 1 Thanks for the help in advanced. ... View more

Hello all, Trying to figure out how to search or filter based on the matches in my case statement. I guess also want to figure out if this is the correct way to approach this search. searchHere | eval status=case(ship=_pro, "processed", ship=_ma, "sent") | stats values(field1), values(field2), values(filed3), values(status) by fieldx Now, I want to search the contents of the values() function for only those that contain both strings matched in my case statement. I can't focus on a count because there are many other variations that could potentially match and thus making the count >1. Something like "if the field status contains the values: processed AND sent" in any order show me those events. Thanks for the help in advance. ... View more

Hello all, I've been trying to do the following for hours and seems like I need some assistance. We have a bunch of software versions in Splunk that we'd like to group by parent->child versioning. For example, I'd like my data to be grouped as shown below. If the value on the left side of the period matches, then they would be grouped together, regardless of the value on the left side of the . . Any grouped results that don't have at least 1 parent/child event would be ignored from the results. Valid Results - how I'd like the data to be organized/grouped Version LastSeen master 03/01/2016 master.1 01/01/2016 master.2 01/01/2016 master.3 01/01/2016 deploy 03/01/2016 deploy.001 01/01/2016 deploy.1 01/01/2016 deploy.2 01/01/2016 stage 03/01/2016 stage.2 01/01/2016 stage.3 01/01/2016 *Should be ignored because they don't have . subEvents - for example preDeploy.1, postDeploy.1 etc.. * preDeploy 03/01/2016 postDeploy 03/01/2016 devBeta 03/01/2016 Full list of events master 03/01/2016 01/02/2016 master.1 01/01/2016 01/02/2016 master.2 01/01/2016 01/02/2016 master.3 01/01/2016 01/02/2016 deploy 03/01/2016 01/02/2016 deploy.001 01/01/2016 01/02/2016 deploy.1 01/01/2016 01/02/2016 deploy.2 01/01/2016 01/02/2016 stage 03/01/2016 01/02/2016 stage.2 01/01/2016 01/02/2016 stage.3 01/01/2016 01/02/2016 preDeploy 03/01/2016 01/02/2016 postDeploy 03/01/2016 01/02/2016 devBeta 03/01/2016 01/02/2016 xrtBeta 03/01/2016 01/02/2016 ... View more