Splunk Search

Need help with conditions

kavekon
New Member

I Have a db query that returns data as below.
Now i want
1. to get a search result where all the rows where rank <11 should appear
2. Once i get the data i want to show a chart of concurrent program execution time over all the weeks each concurrent program in one chart
3. Another charts of the top 10 ConcurrentProgramName on x axis and etime on y axis per week

WEEK rank ConcurrentProgramName ETIME
1-Oct 2 Move Order Pick Slip 86379
1-Oct 3 Planning Manager 86360
4-Sep 4 Report Set 86347
2-Oct 5 Planning Manager 863394
4-Sep 6 Planning Manager 86316
3-Oct 7 Planning Manager 86294
3-Oct 8 Planning Manager 86247
1-Oct 19 Timesheet Data Transfer to EE Form 70084

Please help me get the conditions asap.

|dbquery "select WEEK,rank,ConcurrentProgramName,Etime from conTab"

Tags (1)
0 Karma

Ayn
Legend

I just want to point out that trying to command the community to do things for you is rather rude. Splunkbase users do not get paid for contributing, so any help you get is because someone is kind enough to take their time to provide it. Please have that in mind when writing a question.

MuS
SplunkTrust
SplunkTrust

Hi kavekon,

let me try to help you, but you almost answered the question yourself....

  1. to get a search result where all the rows where rank <11 should appear, append the following to your search:
    ... | where rank < 11
  2. Once I get the data, I want to show a chart of concurrent program execution time over all the weeks each concurrent program in one chart, append the following to your search:
    ... | chart values(ETIME) over WEEK by ConcurrentProgramName
    If this fails because of the WEEK, use instead
    ... | timechart span=1w values(ETIME) by ConcurrentProgramName
  3. Another charts of the top 10 ConcurrentProgramName on x axis and etime on y axis per week, use this search (top will return by default the top 10 of the provided field) and modify the report the match your request:
    ... | top ConcurrentProgramName | chart values(ETIME) values(ConcurrentProgramName)

hope this helps to get you started...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

Hi kavekon, as I wrote my examples will get you started. Since I don't have your data available nor know what exactly you want to achieve, this is simply try and error. But ... | timechart span=1w values(ETIME) by ConcurrentProgramName will for sure work and if you need values for WEEK in the 3rd example, simply add values(WEEK) to the search.

0 Karma

kavekon
New Member

Hi MuS

I have tried as suggested however all 2 answers did not give me the required results.Please help

2....| timechart values(ETIME) over WEEK by ConcurrentProgramName or ... | timechart span=1w values(ETIME) by ConcurrentProgramName

getting the error:
Error in 'timechart' command: The specifier 'over' is invalid.It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.

3....| top ConcurrentProgramName | chart values(ETIME) values(ConcurrentProgramName)
does not return the values per week

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...