cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
vintik
Engager
Member since: ‎09-28-2016
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-28-2016
Activity Feed
View All

How to combine multiple queries into one?

by in Splunk Search
‎09-06-2018 01:18 AM
‎09-06-2018 01:18 AM
Hello, I have multiple queries with small differences, is it possible to combine them? Here is example: index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1) | eval duration=span_duration/1000 | stats p99(duration) index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName2 OR span_name=SomeSpanName3) | eval duration=span_duration/1000 | stats p99(duration) index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName4) | eval duration=span_duration/1000 | stats p99(duration) The result of each query is only one column p99(duration) with value. Is it possible to combine these queries and get a result with three columns with different names (I need to know the correspondence of each column to the condition)? ... View more

Splunk stats count for several search

by in Splunk Search
‎08-13-2018 12:03 PM
‎08-13-2018 12:03 PM
Hello, I have ~15 the same queries with a little difference: (index=SOME_INDEX sourcetype=SOME_SOURCE source=... | eval API=CASE(searchmatch("xxx"), "yyy", ...) | search API=WebResponse | eval Status=case(...) | stats avg(dur) AS Avg by status_code | stats count by status_code ... (index=SOME_INDEX sourcetype=SOME_SOURCE source=... | eval API=CASE(searchmatch("xxx"), "yyy", ...) | search API=AppResponse | eval Status=case(...) | stats avg(dur) AS Avg by status_code | stats count by status_code So, all my queries are different only in one place - | search API=XXX and return result like: | status_code | count | | 201 | 10 | | 404 | 28 | etc How I can combine all above queries into one and get result as (or something like this): | status_code | count(AppResponse) | count(WebResponse) | count(Other) | | 201 | 10 | 0 | 0 | | 404 | 28 | 3 | 0 | ? ... View more

Extract field value

by in Splunk Search
‎05-03-2018 02:47 AM
‎05-03-2018 02:47 AM
Hello, Could anybody assist with this question - what method is the best to extract to new field value of "animal" key? Should I use eval or searchmatch or something else? Here is example: [some_date] ..."application":"some_app", "animal":"dog","segment":.... [some_date] ..."application":"some_app", "animal":"cat","segment":.... I need this variable to use in stats. ... View more

How to group and count data from string?

by in Splunk Search
‎09-28-2016 04:09 AM
‎09-28-2016 04:09 AM
I have the following query: sourcetype=XXX Some query for * took * seconds to load And this is a result of query: I, [2016-09-28T11:01:21.616144 #23942] INFO -- : Some query for authorizations took 8 seconds to load. JobID: 1475060473.4330475 I, [2016-09-28T11:01:21.113586 #20705] INFO -- : Some query for authentications took 9 seconds to load. JobID: 1475060472.4330474 I, [2016-09-28T11:01:20.539219 #19285] INFO -- : Some query for authentications took 8 seconds to load. JobID: 1475060472.4330473 But I need to get average time for each of operation type (authorizations and authentications from example): authorizations: 8.5 authentications: 8 Is it possible? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All