Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join 3 Queries into one for usage in Dashboard

kishorksudha
Explorer
‎01-31-2015 02:08 AM

I am getting the feeds from Database into Splunk every 15 minutes; using 3 Queries to get the desired results; can you please help me to combine all these three into a single query
Step 1: Find all the Unique IDS (PAY_TXN_ID)
index=foo source="dbmon-tail://Dev/test-DEV" | dedup PAY_TXN_ID | table PAY_TXN_ID
Step2: For each of the Unique IDS obtained from previous query; get the latest Time stamp (AUDIT_TIME)
index=foo source="dbmon-tail://Dev/test-DEV" | search PAY_TXN_ID="3225958" | table AUDIT_TIME | sort -AUDIT_TIME | head 1
Step3: For each of the Unique IDS PAY_TXN_ID (step1)and the latest Time Stamp for that ID(step 2) get all the required details - Desired Results
index=foo source="dbmon-tail://Dev/test-DEV" | search PAY_TXN_ID="3225958" | search AUDIT_TIME="1345618062.375" | table PAY_TXN_ID, SOURCE, STATUS, DEBIT_CCY, DEBIT_AMNT, REMIT_CCY, REMIT_AMNT

Can someone help me to convert these three queries into a single one.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2015 02:59 PM

Try this:

index=foo source="dbmon-tail://Dev/test-DEV" | eventstats max(AUDIT_TIME) as max_audit_time by PAY_TXN_ID | where AUDIT_TIME = max_audit_time | table PAY_TXN_ID, SOURCE, STATUS, DEBIT_CCY, DEBIT_AMNT, REMIT_CCY, REMIT_AMNT

NB: I have assumed that AUDIT_TIME values are unique per PAY_TXN_ID. If that's not the case you will get all events with the latest AUDIT_TIME for one PAY_TXN_ID.

View solution in original post

Reply
Solved! Jump to solution

kishorksudha
Explorer
‎01-31-2015 08:14 PM

Thank you very much Martin; it was very helpful.
your assumption was right; AUDIT_TIME values are unique per PAY_TXN_ID.
AUDIT_TIME is the rising_column when the datas are being pulled from the Database.

Thanks
Kishor

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎02-01-2015 03:30 AM

Hi kishorksudha. If Martin's answer was helpful, I suggest you click on "accept answer" and possibly vote up the answer as well. Furthermore, the preferred way of replying would be to comment on the answer, rather than posting a new answer.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2015 02:59 PM

Try this:

index=foo source="dbmon-tail://Dev/test-DEV" | eventstats max(AUDIT_TIME) as max_audit_time by PAY_TXN_ID | where AUDIT_TIME = max_audit_time | table PAY_TXN_ID, SOURCE, STATUS, DEBIT_CCY, DEBIT_AMNT, REMIT_CCY, REMIT_AMNT

NB: I have assumed that AUDIT_TIME values are unique per PAY_TXN_ID. If that's not the case you will get all events with the latest AUDIT_TIME for one PAY_TXN_ID.

Reply
Solved! Jump to solution

kishorksudha
Explorer
‎02-12-2015 06:16 PM

Thanks Martin
It was very helpful and the assumption was right.

Kishor

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...