Re: Search by values in field

nivethainspire_ · ‎12-09-2020

In the below table, I was to search by field "Core Content" where "Core Content" should take top 2 highest value.

Core Content	Count	Status	Flag
4268	2223	N	Red
4267	1794	N	Yellow
4266	305	Y	Yellow
4265	90	Y	Red
4268	19	Y	Green
4263	63	N	Green
4262	133	Y	Red
4261	34	N	Red
4260	26	N	Yellow
	4768

The output I expect is,

Core Content	Count	Status	Flag
4268	2223	N	Red
4267	1794	N	Yellow
4268	19	Y	Green

All other rows I have to take as Outdated.

nivethainspire_ · ‎12-15-2020

Basically I want to run the below query

Instead of explicitly hardcoding the values for "Core Content", I want them to take the top 2 values of "Core Content"

richgalloway · ‎12-15-2020

Try this query. The main difference is the use of single quotes. In Splunk, double quotes denote a string while single quote denote a field name.

index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*" ("Core Content"="4283.0" OR "Core Content"="4286.0") 
| fillnull value="00" Com 
| fillnull value="" 
| sort 2 - 'Core Content'

---
If this reply helps you, Karma would be appreciated.

nivethainspire_ · ‎12-15-2020

Not working for me.

index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*"
| fillnull value="00" Com 
| fillnull value="" |timechart span=1d count("Core Content") by "Core Content"|sort 2 - "Core Content"

Its not sorting, I get the below output,

_time	5276	5279	4280	4284	4285	5286	5287	OTHER
12/15/2020	26	20	26	91	28	1641	2681	149
12/16/2020	0	0	0	0	0	0	0	0

But I want to get as below,

_time	5286	5287
12/15/2020	1641	2681
12/16/2020	0	0

scelikok · ‎12-16-2020

@nivethainspire_, you can use below query,

| stats list(Count) as Count list(Status) as Status list(Flag) as Flag by "Core Content" 
| sort 2 - "Core Content"
| eval lines=mvzip(Count,Status), lines=mvzip(lines,Flag)
| mvexpand lines
| rex field=lines "(?<Count>[^,]+),(?<Status>[^,]+),(?<Flag>.*)"
| fields - lines
| sort - Count
| addcoltotals Count

If this reply helps you an upvote and "Accept as Solution" is appreciated.

richgalloway · ‎12-16-2020

It didn't work because you used a different query. timechart is a transforming command so you no longer have a "Core Content" field on which to sort.

I don't know how to achieve the results you desire. Sorry.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎12-09-2020

Would you please clarify the requirements? How is the sample input transformed into the sample output?

The text says "top 2 highest" but the example shows 3 results.

When measuring "highest" which column is to be used? It is the raw values in that column or a sum based on some other field?

---
If this reply helps you, Karma would be appreciated.

nivethainspire_ · ‎12-10-2020

The Core Content has values ranging 4260 to 4268. I want show details of only top 2 Core Content that is 4268 and 4267. The core content updates often. Tomorrow it may take 4270.

So I want to query for a table where core content should search only top 2

richgalloway · ‎12-10-2020

Here's one way to do that.

your search
| sort 2 - Count

---
If this reply helps you, Karma would be appreciated.

Search by values in field

eval

fields

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!