12/13/2023 0 Comments Splunk join with different sourcetype![]() ![]() ![]() I have used list instead of values to get all pids but it is showing all pids in one row only but i want to see it in different rows.If you have any experience with Splunk, you’re probably familiar with the term sourcetype. ![]() Like this i have each project may have more than one shared pid with different times but using the above query I am getting only first pid with status but I want the the second shared pid (second one) has to repeat in next line with their respective status. now using this query I am getting only one pid with min time.Įxample if i have Project= A pid= 1 and time= 24-06-2016 12:30:20 and same project with same pid but time= 24-06-2016 12:30:25 then using the query I am getting report like Project pid TIIS_status T_Status WebIIS_STatus IVW Status I need one more help for this data In my data I have same pids with same project but there is time difference. I want an output like: _time pid i_project Status_Tiis Status_T IIS_Status IVW_Status Duration (Sec)ġ0-05-2016 01:05:25 A khduei Accept Accept Success Completed 91ġ0-05-2016 01:10:45 B khduei Accept Accept Success Completed 89ġ0-05-2016 06:15:35 A neodue Accept Accept Success Survey stopped 147ġ0-05-2016 06:15:45 B neodue Accept Reject 1ġ0-05-2016 07:20:25 X khduei Accept Accept Success Completed 1500 I am using the search below to merge the above outputs in one report I am getting some results, but it’s not giving all results: index=iis sourcetype=iis host=ABC cs_method="GET" |eval mytime=strftime(_time, "%d%m%Y %H:%M:%S") |stats values(Status) as Status_Tiis by mytime pid i_project|table mytime i_project pid Status_Tiis|join type=outer ]|table mytime host i_project pid Status_Tiis Status_throttler Status_Wiis Search: index=ibm sourcetype=ivw host=IJK |stats values(Status) as IVW_Status by _time host respID project_name Output: _time host pid i_project IIS_Status Search: index=iis sourcetype=iis host=xyz |stats values(sc_status) as IIS_Status by _time host pid i_project Output: _time host pid i_project Status_T Search: index=security sourcetype=security host=ABC |stats values(Status) as Status_T by _time host pid i_project Output: _time host pid i_project Status_Tiis Search: index=iis sourcetype=iis host=ABC cs_method="GET" |stats values(Status) as Status_Tiis by _time host pid i_project I have individual searches for all these sources. If the survey is having 6 respondents and only 4 were reached till 4th level, I want 6 respondents in my output with corresponding status. I want a funnel report which will have the status of the pid from all sources in one report. In each type of log we have some status for this pid. The fourth IVW log will be generated with the status of survey completed or Timed Out or Survey Stopped. The third WebIIS log will be generated here, also will have status of Success (any web page level issues will generate http errors like 500, 400 and he can’t move to 4th level). More conditions are checked here and if still eligible he will get a status of Accept (if not, he will get status of Reject, so he will be stopped and he can’t move to 3rd and 4th level). If this person is eligible for the survey he will get a status of Accept then second Securitylog will be generated. Once he clicks on the link, the first securityIISlog will be generated. IVW log.Īll these 4 types of logs are for one online survey.įor example, we will send one link to one person to do the survey. I have 4 different indexes and sourcetypes with unique pid in all sources but all these sources are inter-related. I will give example that will give no confusion. I am getting output but not giving accurate results. I want to create a funnel report in Splunk I need to join different data sources. May be you feel that this is a repetitive questio,n but I didn't get response, so I opened a new question. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |