Solved: Eventtype or macros - Need Suggestion

himpor · ‎04-08-2017

Hi Everyone,

I need a suggestion to build the Splunk app or query .

The situation is

I had list of cities (lets say around 1800 odd cities) ( source type lets say india)
The cities are classified in multiple groups in separate CSV which will be used for lookup
- statewise (i.e. cities clubed according to region) around 28 files ( lets say punjab.csv which has list of all cities of punjab)
- region wise ( east, west, north , south etc.) i.e. list of cities clubbed together as region

I need to perform queries to identify patterns for statewise, regionwise which requires the filtering of larger set i.e. india data in smaller subset i.e. region or state

is it advisable to create the eventtype for each state like punjab, haryana etc. and north, south etc. or
use the macro to filter the events.

to achieve performance, or possibility of creating datamodels if required.

woodcock · ‎04-09-2017

Because the taxonomy never changes (or at least very rarely), I would use eventtypes with specific structure (prefixes or suffixes, e.g. *.Region, *.City, *.State, etc.). Then you can say things like:

eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"

View solution in original post

woodcock · ‎04-09-2017

Because the taxonomy never changes (or at least very rarely), I would use eventtypes with specific structure (prefixes or suffixes, e.g. *.Region, *.City, *.State, etc.). Then you can say things like:

eventtype=SouthWestRegion OR eventtype=NorthRegion | sum (population) BY eventtype | search eventtype="*State"

woodcock · ‎04-10-2017

Actually, this same approach would probably best be done with tags.

himpor · ‎04-10-2017

yes , i agree tags will be better option.

As eventtypes can't be created with queries with pipes and subsearches.

himpor · ‎04-08-2017

Thanks.

the requirement is like this

I had details of city data which has following information

cityname
population
men
women
numberofschools
numberofengcollege
numberofmedicalcollege

details of state which has city data example like "state rajasthan" i.e. rajasthan.csv (There are around 28 different state)

cityname
area_in_sq_km
primary_occupation(tourism,agri etc.)

Details of region

region_name
statename
type_region (plain, hill etc.)

Now i need to analyse the city data and do some analysis to represent in the form of statewise or regionwise statistics.

please suggest is it advisable to create the eventtypes for state or pass details of cities as macro.

but eventtype cant be created with pipe and subsearch.

Requesting views how to best use available features

sduff_splunk · ‎04-08-2017

I suggest you create a lookup and use that to enrich your events, I don't see the additional need to create an eventtype or macro

Assuming your lookup looks like the following,

city_name, state, region

You can then do a search such as

stats count by region

or

stats values(city_name) by state

to find all the cities in a particular state.

Using different commands with stats should provide you additional information

Eventtype or macros - Need Suggestion

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life