- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How to store Multi Value Field with its sum of num...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All,
I am trying to store some aggregated values so that my query will perform better way when searching time is of 6-8 months.
Use case:
_time Environment BG ApplicationName Interface ErrorType
22-05-2021 01:12:33 E B K Z TimeOut
22-05-2021 01:13:33 E B K Z HttpConnectivityErr
22-05-2021 01:14:33 E B K Z TimeOut
22-05-2021 01:15:33 E B K Z HttpConnectivityErr
22-05-2021 01:16:33 E B K Z TimeOut
22-05-2021 01:17:33 E B K Z HttpConnectivityErr
22-05-2021 01:18:33 E B K Z HttpConnectivityErr
22-05-2021 01:19:33 E B K Z HttpConnectivityErr
Expected Output:
bin span 4m _time
_time Environment BG ApplicationName Interface ErrorType(multiValue)
22-05-2021 01:12:33 E B K Z TimeOut_2
HttpConnectivityErr_2
22-05-2021 01:16:33 E B K Z TimeOut_1
HttpConnectivityErr_3
What i want is for a span of 4 min i need unique "ErrorType" column along with its count group by Environment,BG,ApplicationName,Interface.
Please help me out with it.
Regards,
Santosh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I will test from my side today and update you on that.
Regards,
Santosh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="time,Environment,BG,ApplicationName,Interface,ErrorType
22-05-2021 01:12:33,E,B,K,Z,TimeOut
22-05-2021 01:13:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:14:33,E,B,K,Z,TimeOut
22-05-2021 01:15:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:16:33,E,B,K,Z,TimeOut
22-05-2021 01:17:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:18:33,E,B,K,Z,HttpConnectivityErr
22-05-2021 01:19:33,E,B,K,Z,HttpConnectivityErr"
| multikv forceheader=1
| fields - _* linecount
| eval _time=strptime(time,"%d-%m-%Y %H:%M:%S")
| bin _time span=4m
| stats count by _time Environment BG ApplicationName Interface ErrorType
| eval ErrorType=ErrorType."_".count
| stats values(ErrorType) as ErrorType by _time Environment BG ApplicationName Interface- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I will test from my side today and update you on that.
Regards,
Santosh
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
