I want to run a Splunk query for all the values in the CSV file and replace the value with the field in the CSV file. I've imported the file into Splunk as an input lookup table, and I'm able to view the fields using an inputlookup query. But, I want to run that with all the sub queries where I'm fetching maximum count on a per hour, per day, per week and per month basis.
input file is ids.csv, which has around 800 rows and it's just one column, like below:
query that im using:
| inputlookup ids.csv | fields ids as id | [search index="abc" id "search string here" |bin _time span="1hour" | stats count as maxHour by _time | sort - count | head 1] |appendcols[search
index="abc" id "search string here" |bin _time span="1day" | stats count as maxDay by _time | sort - count |head 1 ]|appendcols[search
index="abc" id "search string here" |bin _time span="1week" | stats count as maxWeek by _time | sort - count | head 1 ]|appendcols[search
index="abc" id "search string here" |bin _time span="1month" | stats count as maxMonth by _time | sort - count | head 1]
I'm not getting the expected results for this. I'm expecting a tabular format where I get the count for each time range with the specific ID by passing the ID field in the search subquery.
How can I solve this?
... View more
My data looks like this, I've grouped it by a common field. I want to match the date_mday and get the sum of the events for that day.
commonField list(field1) list(date_mday) list(count)
abc f222 efg 20 10
abc f333 ccc 20 20
abc f222 efg 20 30
abc f334 ccc 20 40 -- sum of count for same date_mday - 10 + 20 + 30 + 40 = 100
abc f114 ddd 19 10
abc f113 ccd 19 9 -- sum of count for outliers for same date_mday - 10+9 = 19
def f222 efg 22 10
def f333 ccc 22 25 -- sum of count for same date_mday - 10+25+5 = 40
def f111 bbb 22 5
def f111 bbb 20 15
There are some outliers(in italic) in the data. Then, I want to get the percentage of the outlier vs the total sum.
I'm using the stats command for grouping the data running over a 30 days range, like this:
search string here | stats list(field1),list(field2),list(date_mday),list(count) by commonField
... View more
search string1 - [ field1 ]
search string2 [ field1 field2]
search string3 [ field1 field2]
I want the results of search string 1 to be matched with search string 2 by the common field (which is field 1) and the results of this to be matched with search string 3 where the common field is field 2, then I want to get those results as output with the earliest of field 1 and latest of field 2.
I've tried the subsearch command with join but it doesn't generate the required results. Also tried append.
... View more