Solved: Splunk report is required by month from look up ta...

splunker9999 · ‎08-10-2016

Hi ,

We need to set up a splunk report by last month(Jul) for our applications from a lookup file.

We have "month" available in fields :

Our lookup file looks like below:

|inputlookup availability.csv|table Product  jan Feb Mar Apr May Jun Jul Aug

data looks like below for every month:

Product         Jan       Feb       Mar 
.Net       0.998655914       1       1  
idndm                1         1         1

Thanks

somesoni2 · ‎08-10-2016

If you're just looking for a report to display Product for last month, give this a try

|inputlookup availability.csv|table Product [| gentimes start=-1 | eval search=strftime(relative_time(now(),"-1mon@mon"),"%b") | table search]

View solution in original post

gcusello · ‎08-11-2016

I had a similar problem and I solved it loading data in a separate index instead a lookup table.
Bye.
Giuseppe

somesoni2 · ‎08-10-2016

If you're just looking for a report to display Product for last month, give this a try

|inputlookup availability.csv|table Product [| gentimes start=-1 | eval search=strftime(relative_time(now(),"-1mon@mon"),"%b") | table search]

splunker9999 · ‎08-10-2016

This is working good for last month,

Is there a way we can apply this for below scenario?

I have a time picker available as token , if I select avg for last 30 days form time picker, need to get results for last 30 days ,similarly based on Time picker(defaults to month),if we select time picker as 15 mins(it should give value of current month)

sundareshr · ‎08-10-2016

Try with this updated query

inputlookup availability.csv|table Product [| gentimes start=-1 | eval selTime=if(isnum("$timepicker.latest$"), $timepicker.latest$, relative_time(now(), "$timepicker.latest$")) | eval search=strftime(selTime,"%b") | table search]

somesoni2 · ‎08-10-2016

Your requirements are not very clear. Could you please provide a table of what fields to show from your lookup with corresponding time range values??
e.g.
Time range value Fields to Show
Last 15 min Show current month
Last 30 days Show current month and last month

splunker9999 · ‎08-16-2016

Hi,

I am using single panel chart to display availability.

Let suppose, If I select any date during July( it should disply july month availability), similarly If we select any date in the month of march( it should display march availability detials).

Thanks

somesoni2 · ‎08-16-2016

In that case, try like this to select the field/month based on time range picker value.(shows data for current month for the selected earliest time range value)

|inputlookup availability.csv|table Product [| gentimes start=-1 | addinfo | eval search=strftime(relative_time(info_min_time,"@mon"),"%b") | table search]

somesoni2 · ‎08-16-2016

Try this

|inputlookup availability.csv|table Product [| gentimes start=-1 | addinfo | eval search=strftime(relative_time(info_min_time,"@mon"),"%b") | table search]
| untable Product Month Value | stats avg(Value) as Value

splunker9999 · ‎08-16-2016

Is there a way, we could get average of search?

tried stats avg(search) ,but not working?

sundareshr · ‎08-10-2016

How do you want the report to look?

splunker9999 · ‎08-10-2016

I am expecting my report to be my month,

I have a time picker available as token , if I select avg for last 30 days form time picker, need to get results for last 30 days ,similarly based on Time picker(defaults to month),if we select time picker as 15 mins(it should give value of current month)

Splunk report is required by month from look up table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life