Hello ,
I have got an urgent requirement pls help me
I am different countries data pulled and indexed into SPLUNK daily
ex,Australia.csv,Budapest .csv,germany.csv etc for which i am generating 95th percentile values
Now the requirement is i should be able to generate 95th percentile only from Monday to Friday and only in working hours of that particular country which seems to be difficult
Right now i havve got an idea using the following query :
source="C:\germany.csv" host="SEZ00VVM-153" sourcetype="csv" date_wday!=saturday AND date_wday!=sunday date_hour>=9 date_hour<= 17 | eval Intraffic=IN/1048576 |timechart span=1h perc95(Intraffic) AS 95thPercentile
but when multiple files are indexing how should i tell splunk that working hours of germany is 9 to 5 and budapest is 10 to 4 etcc
thanks ,
Deepthi
You could create a lookup file that contains country name and working hours. For example, the file might contain
Country, start_hour, end_hour
germany, 9, 17
budapest, 10, 16
Then your query becomes
source="C:germany.csv" host="SEZ00VVM-153" sourcetype="csv" date_wday!=saturday AND date_wday!=sunday | lookup Country OUTPUT start_hour end_hour | where date_hour>=start_hour AND date_hour<= end_hour | eval Intraffic=IN/1048576 |timechart span=1h perc95(Intraffic) AS 95thPercentile
You could create a lookup file that contains country name and working hours. For example, the file might contain
Country, start_hour, end_hour
germany, 9, 17
budapest, 10, 16
Then your query becomes
source="C:germany.csv" host="SEZ00VVM-153" sourcetype="csv" date_wday!=saturday AND date_wday!=sunday | lookup Country OUTPUT start_hour end_hour | where date_hour>=start_hour AND date_hour<= end_hour | eval Intraffic=IN/1048576 |timechart span=1h perc95(Intraffic) AS 95thPercentile
hey
thanks for the answer but that is not working should i specify germany in the place of country or it automatically picks
You will need to populate a field called 'Country' with the name of the country in question. Or you could replace 'Country' with another field from your query that contains the country name.