Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for multiple cases?

Julia1231
Communicator
‎11-22-2022 01:42 AM

Hi community,

I have 2 data sources, 1 from a csv to get the list of district (include number of population according to each district). Other sources come from PostgreSQL. The common info is the district.

After a lookup csv, I have the list of district, for ex 6 districts.

Knowing that 5 districts have the equivalent population (ex 500), another district has only 100 people living there.

I want to do the span later, to count the activities of each district and send an alert if there is no activity of a district. But the difficulty is the span is not the same amongs all the districts. 

I want to let span =1 day for 5 districts which have 500 people, and 5 days for the district with 100 population. 

In a same search, can I do a case or if else to separate 2 cases?

Here is what I'm doing:

|dbxquery connection="database" query=" SELECT * FROM table"
|lookup lookup.csv numero OUTPUT DISTRICT
|eval list_district = "1,2,3,4,5,6"
|eval split_list_district= split(list_district,",")
|mvexpand split_list_district
|where DISTRICT=split_list_district
|eval _time=strptime(time_receive,"%Y-%m-%dT%H:%M:%S.%N")
|eval _comment="Can we do something here to separate 2 cases"
|bin _time span=1h
|chart sum(count_activity) as count by _time DISTRICT

......

Labels (3)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-22-2022 08:38 AM

Assuming there's a field "population" in the data, you can use relative_time.  Something like

|dbxquery connection="database" query=" SELECT * FROM table"
|lookup lookup.csv numero OUTPUT DISTRICT
|eval list_district = "1,2,3,4,5,6"
|eval split_list_district= split(list_district,",")
|mvexpand split_list_district
|where DISTRICT=split_list_district
|eval _time=strptime(time_receive,"%Y-%m-%dT%H:%M:%S.%N")
| eval cutoff = if(population < 120, relative_time(now(), "-1d"), relative_time(now(), "-5d")) ``` use 120 to allow margin ```
| where _time > cutoff
|bin _time span=1h
|chart sum(count_activity) as count by _time DISTRICT

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...