I have the following query:    application_id=12345 STATUS_CODE IN (300, 400, 500)| head 10   How can I modify this such that I can get 2 unique rows where STATUS_CODE is 300, 2 unique rows where STATUS_CODE is 400, 2 unique rows where STATUS_CODE is 500 and so on?  Above query ends up fetching 10 rows of the first ones it can find thus end up with all 10 rows as STATUS_CODE as 300 in correctly. Pls advice. Thanks.   ... View more

I have the following query. The key TEST_DECISION has 4x possible outcomes. CALL_FAILED, VALID, INVALID, NOT_CALLED. ns=test* TEST_DECISION PRODUCT IN (SAMPLE_123) | timechart span=5m limit=0 count by TEST_DECISION The output is as follows: _time CALL_FAILED VALID INVALID NOT_CALLED 2020-04-14T05:50:00.000-0700 11 83 7 46 2020-04-14T05:55:00.000-0700 6 60 6 42 2020-04-14T06:00:00.000-0700 8 78 19 55 2020-04-14T06:05:00.000-0700 11 86 19 59 2020-04-14T06:10:00.000-0700 10 94 17 71 2020-04-14T06:15:00.000-0700 8 67 17 63 2020-04-14T06:20:00.000-0700 2 19 4 17 Is there a way I could show % instead? I only care about VALID and INVALID. Thus I want to get the following instead. For first row 100% will be 83(valid) + 7(invalid) Thus I want to achieve following VALID INVALID 92.22% 7.77% Please advice if there is a way I could achieve this. Thank you. ... View more

index=my-index ns=my-namespace app_name=my-api DECISION IN (YES, NO) | chart list(DECISION) BY PRODUCT_ID For above query, how could I possibly chart it for a query of 90 days. I want the data to be shown weekly. There are 11 possible ids for the value PRODUCT_ID. Thus total 3 things to consider. PRODUCT_ID (11 types), DECISION (2 types) and the timeline to be shown weekly for a 90 day period. How can I chart this in Splunk? Bit confused as to what chart would fit this scenario and how to write the query to chart this. Appreciate any advice. Thanks. ... View more

1st query ns=mynamespace* app_name=A-api API=GET_INITIAL_DATA NAME=* 2nd query ns=mynamespace* app_name=B-api API=GET_FINAL_DATA NAME=* I have the following 2 queries. Each is querying a micro service's logs. But I do not want to call them individually and looking to have a single query. I want to be able to match 1st query against the 2nd query based on name. I am trying to get a % and also total count. Trying to achieve something like the following: GET_INITIAL_DATA Total count: 10000000 GET_FINAL_DATA count that matched NAME in 1st call : 8000000 Matching call Percentage : 80% Non Matching call Percentage : 20% and show that in a chart divided weekly over a 3month period. Is there a way to do this? I am expecting millions of records thus it would not make sense for me to make the first query, get all the names (millions of em) and then use that data to make second call. Please assist. Thank you. ... View more

I am using the following query to split my data to show the average, min, and max based on the fields. But, I seem to be getting a total value instead of a proper split. Expected outcome: (I am open to ideas if there is a better way of displaying this) average maximum minimum environment app_name 10 100 2 env 1 service 1 12 180 3 env 1 service 2 13 110 22 env 1 service 3 34 100 21 env 1 service 4 66 290 0 env 1 service 5 10 100 2 env 2 service 1 12 180 3 env 2 service 2 13 110 22 env 2 service 3 34 100 21 env 2 service 4 66 290 0 env 2 service 5 Actual outcome average maximum minimum environment app_name 134 100 12 env 1 service 1 env 2 service 2 service 3 service 4 service 5 Search used: some_search=* environment=* some_time=* | chart avg(some_time) as average, max(some_time) as maximum, min(some_time) as minimum, values(environment) as environment, values(app_name) ... View more

How do I pass in a default value for a single value chart? As in I am not looking to search anything for now in the search query. For example, I just want the chart to display the number 1.10. Is this possible? Tried following in the search query but it doesn't work returning no result. | eval myVal=1.10 | table myVal ... View more