Splunk Search

help me with Real time search for my usecase

sravankaripe
Communicator

I am trying to run real time for the below query(20 minute window) where
i can able to see only one result(i.e., count belongs to abc.com).

for remaining both pqr and xyz i can't see results for real time. but for Relative time i can see results for all of them.
Please help me in fixing this.

index=abc

| timechart span=1m count as "abc.com"
| appendcols [search index=pqr

| timechart span=1m count as "pqr.com"]
| appendcols [search index=xyz

| timechart span=1m count as "xyz.com"]

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi sravankaripe,
why you don't run something like this (surely faster!):

index=abc OR index=pqr OR index=xyz 
| timechart span=1m count by index
| eval index=case(index="abc","abc.com",index="pqr","pqr.com",index="xyz","xyz.com")

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sravankaripe,
why you don't run something like this (surely faster!):

index=abc OR index=pqr OR index=xyz 
| timechart span=1m count by index
| eval index=case(index="abc","abc.com",index="pqr","pqr.com",index="xyz","xyz.com")

Bye.
Giuseppe

0 Karma

sravankaripe
Communicator

the query which i have posted is sample query .
but my real query have dedup, transaction and some rex command.

i can not use the above this query for my usecase.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ok try something like this:
index=abc | your all your elaborations.....
| append [search index=pqr | your all your elaborations.....]
| append [search index=xyz | your all your elaborations.....]
| timechart span=1m count by index
| eval index=case(index="abc","abc.com",index="pqr","pqr.com",index="xyz","xyz.com")

Bye.
giuseppe

0 Karma

niketn
Legend

@sravankaripe @cusello...

append command will not give correct results for real-time searches. Maybe you have seeing something similar for appendcols.

Further, transaction will not work once you have used append. Refer to Splunk documentation below:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join#Alternative_commands

So in order for us to assist you. You would need to provide more details of your query and also why it has to run in realtime and can not run in historical time with refresh every 20 min?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DMohn
Motivator

I am assuming you want to have a realtime count for all three indexes? This can be achieved with this query:

index=abc OR index=pqr OR index=xyz | timechart span=1m count by index | rename abc as "abc.com" pqr as "pqr.com" xyz as "xyz.com"
0 Karma

sravankaripe
Communicator

the query which i have posted is sample query .
but my real query have dedup, transaction and some rex command.

i can not use the above this query for my usecase.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...