Hi Everyone,
I need a suggestion to build the Splunk app or query .
The situation is
I need to perform queries to identify patterns for statewise, regionwise which requires the filtering of larger set i.e. india data in smaller subset i.e. region or state
is it advisable to create the eventtype for each state like punjab, haryana etc. and north, south etc. or
use the macro to filter the events.
to achieve performance, or possibility of creating datamodels if required.
Because the taxonomy never changes (or at least very rarely), I would use eventtypes
with specific structure (prefixes or suffixes, e.g. *.Region
, *.City
, *.State
, etc.). Then you can say things like:
eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"
Because the taxonomy never changes (or at least very rarely), I would use eventtypes
with specific structure (prefixes or suffixes, e.g. *.Region
, *.City
, *.State
, etc.). Then you can say things like:
eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"
Actually, this same approach would probably best be done with tags
.
yes , i agree tags will be better option.
As eventtypes can't be created with queries with pipes and subsearches.
Thanks.
the requirement is like this
Now i need to analyse the city data and do some analysis to represent in the form of statewise or regionwise statistics.
please suggest is it advisable to create the eventtypes for state or pass details of cities as macro.
but eventtype cant be created with pipe and subsearch.
Requesting views how to best use available features
I suggest you create a lookup and use that to enrich your events, I don't see the additional need to create an eventtype or macro
Assuming your lookup looks like the following,
city_name, state, region
You can then do a search such as
stats count by region
or
stats values(city_name) by state
to find all the cities in a particular state.
Using different commands with stats should provide you additional information