×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Awanish1212
Explorer
Member since: ‎07-13-2023
‎10-24-2023
Community Statistics
Posts 8
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎07-13-2023
Activity Feed
View All

Re: Splunk Table Query

by in Splunk Search
‎10-24-2023 12:59 PM
‎10-24-2023 12:59 PM
Thank you very much! ... View more

Splunk Table Query

by in Splunk Search
‎10-18-2023 12:26 AM
‎10-18-2023 12:26 AM
These are the sample parameters for index, host, source index="production" host="abc.com-i-1234" source="Log-*-3333-abc4j.log" Suppose there are three Splunk queries as shown below: ---------------------------------------- Query 1: index="production" host="abc.com-*" source="Log-*" | eval ID=substr(host,9,7) | dedup ID| table ID Suppose it gives output as : ID i-1234 i-5678 i-9123 i-4567   ------------------------------ Query 2: index="production" host="abc.com-$field2$" source="Log-*-*-abc4j.log" | eval Sub_ID = mvindex(split(source,"-"),2) | dedup Sub_ID | table Sub_ID Suppose it gives output as : Sub_ID 111 222 3333 4444 555 666 7777 8888   where, $field2$ denotes the "ID" generated from Query 1 and each "ID" from Query 1 is mapped to two values of "Sub_ID" generated from Query 2. E.g if the query was- index="production" host="abc.com-i-1234" source="Log-*-*-abc4j.log" | eval Sub_ID = mvindex(split(source,"-"),2) | dedup Sub_ID | table Sub_ID it will give output as: Sub_ID 111 222 ------------------------------------------- Query 3: index="production" host="abc.com-$field2$" source="Log-*-$field3$-log4j.log" | dedup RP_Remote_User | table RP_Remote_User | stats count as events Suppose it gives output as : events: 52 where, $field2$ denotes the "ID" generated from query 1 and $field3$ denotes the "Sub_ID" generated from Query 2 E.g if the query was- index="production" host="abc.com-i-1234" source="Log-*-3333-log4j.log" | dedup RP_Remote_User | table RP_Remote_User | stats count as events it will give output as: (on the basis of "ID" : i-1234 and "Sub_ID":3333) events: 52 --------------------------------------- Could you please help me with the Splunk query to generate the output in tabular format as below (count of events corresponding to each ID and its Sub_ID) with the help of above mentioned three queries: ID Sub_ID Events i-1234 111 38   222 48 i-5678 3333 52   4444 45 i-9123 555 23   666 34 i-4567 7777 12   8888 29 ... View more
Labels

Splunk Search Query

by in Splunk Search
‎07-14-2023 09:11 PM
‎07-14-2023 09:11 PM
Suppose there are 10 events as "raw text" in Splunk in last 7 days as below : Event 1 : 7/11/23 5:28:33.265 PM "host":"111.123.23.34","level":1,"msg":"cricket score : 10","time":"2023-07-11T17:28:33.265Z" Event 2 : 7/11/23 6:28:33.265 PM "host":"111.123.23.34","level":2,"msg":"cricket score : 20","time":"2023-07-11T18:28:33.265Z" Event 3 : 7/12/23 5:28:33.265 PM "host":"111.123.23.34","level":3,"msg":"cricket score : 30","time":"2023-07-12T17:28:33.265Z" Event 4 : 7/12/23 6:28:33.265 PM "host":"111.123.23.34","level":4,"msg":"cricket score : 40","time":"2023-07-12T18:28:33.265Z" Event 5 : 7/13/23 5:28:33.265 PM "host":"111.123.23.34","level"5,"msg":"cricket score : 50","time":"2023-07-13T17:28:33.265Z" Event 6 : 7/13/23 6:28:33.265 PM "host":"111.123.23.34","level":1,"msg":"cricket score : 10","time":"2023-07-13T18:28:33.265Z" Event 7 : 7/14/23 5:28:33.265 PM "host":"111.123.23.34","level":2,"msg":"cricket score : 20","time":"2023-07-14T17:28:33.265Z" Event 8 : 7/14/23 6:28:33.265 PM "host":"111.123.23.34","level":3,"msg":"cricket score : 30","time":"2023-07-14T18:28:33.265Z" Event 9 : 7/15/23 5:28:33.265 PM "host":"111.123.23.34","level":4,"msg":"cricket score : 40","time":"2023-07-15T17:28:33.265Z" Event 10 : 7/15/23 6:28:33.265 PM "host":"111.123.23.34","level"5,"msg":"cricket score : 50","time":"2023-07-15T16:28:33.265Z" So I need to create a Splunk query to get output as below in table format. Date -  Sum of cricket Score on that particular date Date - Total Cricket Score 2023-07-11 - 30 2023-07-12 - 70 2023-07-13 - 60 2023-07-14 - 50 2023-07-15 - 90 Request your help for the same. ... View more

Re: Splunk query

by in Splunk Search
‎07-13-2023 06:43 AM
‎07-13-2023 06:43 AM
Thanks  ... View more

Re: Splunk query

by in Splunk Search
‎07-13-2023 06:42 AM
‎07-13-2023 06:42 AM
thanks ... View more

Splunk query

by in Splunk Search
‎07-13-2023 03:28 AM
‎07-13-2023 03:28 AM
Suppose there are 5 events in raw text in Splunk as below: "host":"111.123.23.34","level":1,"msg":"cricket score : 10","time":"2023-07-11T17:28:33.265Z" "host":"111.123.23.34","level":2,"msg":"cricket score : 20","time":"2023-07-11T17:28:33.265Z" "host":"111.123.23.34","level":3,"msg":"cricket score : 30","time":"2023-07-11T17:28:33.265Z" "host":"111.123.23.34","level":4,"msg":"cricket score : 40","time":"2023-07-11T17:28:33.265Z" "host":"111.123.23.34","level"5,"msg":"cricket score : 50","time":"2023-07-11T17:28:33.265Z" So I need to create a Splunk query to get output as below. Total Number of events (sum of all events) 5 Total Score (sum of all cricket score) 150 Request your help for the same. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-24-2023 04:22 PM
Karma given to