Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge two diff queries, but display only if the patching has happened?

haripotu
Loves-to-Learn Everything
‎06-06-2023 12:48 PM

Index = prod-x7 host IN ( 12345678) sourcetype=“Wineventlog” Eventcode=“19”

|eval patching = if(eventcode =“19”, “ok”, “not ok”)

If events are found then search server availability i.e.,

index= server_123 host in (12345678) uri_stem IN (http/hltchck)

| status count eval( status=100) as success, count as total by _time

|eval Percent = round((Success/total)*100,2)

| table Percent

 

how to merge this two diff querys. But display only if the patching has happened 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2023 11:28 PM

Hi @haripotu,

at first, in  the first search, if you put the condition EventCode=19, the second row is useless because you have only ok events.

Then, if you want to use _time in a stats command, you have to group timestamps using the bin, command, e.g. for one hour.

so you can merge the two searches in this way:

index= server_123 host IN (12345678) uri_stem IN (http/hltchck) [ search index=prod-x7 host IN (12345678) sourcetype=“Wineventlog” Eventcode=“19” | fields host ]
| bin span=1h _time
| stats 
   count eval(status=100) AS success 
   count AS total 
   BY _time
|eval Percent=round((Success/total)*100,2)

Ciao.

Giuseppe

Reply

haripotu
Loves-to-Learn Everything
‎06-07-2023 08:40 PM

But i need the second percent search (percent  query) only if we find events for event code =19

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 11:22 PM

Hi @haripotu,

if you want the percent of EventCode=19 over all the events, you could run something like this:

index= server_123 host IN (12345678) uri_stem IN (http/hltchck)fields host
| bin span=1h _time
| stats 
   count(eval(status=100) AS success 
   count AS total 
   BY _time host
| search [ search index=prod-x7 host IN (12345678) sourcetype=“Wineventlog” Eventcode=“19” | fields host ]
| stats 
   sum(count) AS Success 
   values(total) AS total
   BY _time
| eval Percent=round((Success/total)*100,2)

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...