Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to give threshold values dynamically in the search query

deepthi5
Path Finder
‎08-21-2015 12:54 AM

Hi Team,

I have got different sites seperated according to the tiers having different threshold values
Ex

Mumbai-Tier1

Cebu Tier2
Gurgoan tier2

Hyderabad Tier 3

Tier threshold valu=70%
Tier threshold value=80%
Tier 3 threshold valu=90%

Right now i have a combo box from whihc i can select a tier and my chart will display graphs for sites in that tier
but now i want how many sites network consumption is excedding particaular threshold how can i change according to the tier selected

Here is search query where i want to change my threshold according to the tier slected in the combo box

source="C:\Network Analysis\tier1\rusxwalmartedc S0-0-0.csv" OR source="C:\Network Analysis\tier1\rdinmumbai010-7-1 S2-0.csv" OR source="C:\Network Analysis\tier1\rdgbreddit010-1-2 Gig0-2.csv" OR source="C:\Network Analysis\tier2\rdingurgao010-5-1 f0-1.csv" OR source="C:\Network Analysis\tier3\rdinsecund010-5-2 Gig0-0.csv" OR source="C:\Network Analysis\tier2\rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9|where result>seventyperc*|stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-27-2015 06:35 AM

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-27-2015 06:35 AM

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename
Reply
Solved! Jump to solution

deepthi5
Path Finder
‎08-31-2015 11:37 PM

that worked thank u so much ...

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎08-23-2015 07:44 PM

Hi deepthi5,

I believe what you're looking for is the ability to define new tokens based on the conditional input choices. The Splunk documentation has a good example here:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/PanelreferenceforSimplifiedXML#condition_.28in...

Here's a run anywhere example also...

<form>
  <label>Language</label>
  <fieldset submitButton="false">
    <input type="radio" token="myChoice" searchWhenChanged="true">
      <label>Language Choice</label>
      <choice value="lang1">English</choice>
      <choice value="lang2">Spanish</choice>
      <choice value="lang3">French</choice>
      <change>
        <condition label="English">
          <set token="myConditionalChoice">"Hello, world"</set>
          <set token="mylang">English</set>
        </condition>
        <condition label="Spanish">
          <set token="myConditionalChoice">"Hola mundo"</set>
          <set token="mylang">Espagnol</set>
        </condition>
        <condition value="lang3">
          <set token="myConditionalChoice">"Bonjour le monde"</set>
          <set token="mylang">Français</set>
        </condition>
      </change>
      <default>lang1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
          | stats count |eval greeting=$myConditionalChoice|s$ | eval out = "$mylang$" . ": " . greeting | fields out
         </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

Hopefully, you'll be able use these example to modify your search form to match your needs.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...