Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to retrieve the events based on the selected values from the Statistics table

rajeswariramar
New Member
‎01-04-2018 10:23 PM

Hey,

I am trying to retrieve the events based on the selected values from the Statistics table

IBD TOTAL SUCCESS FALED MAXRESPONSE MINRESPONSE AVGRESPONSE
IBD1 1149 1149 0 19432 693 1772.423847

IBD2 250 230 20 16532 18 2382.612000
IBD3 161 161 0 13801 741 1950.329193
IBD4 129 128 1 7395 45 2132.674419

IBD5 113 113 0 6324 825 1728.646018

index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS

For Example if I select the MinResponse Value for the IBD1, it should return that particular event alone instead of returns all the Events listed under IBD1.

Is it possible to retrieve the events based on the selected values.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-05-2018 12:01 AM

Hi @rajeswariramar,

In your you can achieve your requirement by adding cell level drilldown in table view.
Add below drilldown code in your table view.

Can you please try below code?

<table>
    <search>
        <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <condition field="IBD">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="TOTAL">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="SUCCESS">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="FALED">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status!="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MAXRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MINRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="AVGRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
    </drilldown>
</table>

Note: I have hard coded last 24 hrs in timestamp. So replace it with your token.

Thanks
Kamlesh

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-05-2018 12:07 AM

hey you can achieve this by drill-down method!

Copy this XML into a new dashboard and see if you get the desired results!

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="IBD">$row.IBD$</set>
          <set token="TimeTaken">$row.MINRESPONSE$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* sourcetype=VM_STATS IBD=$IBD$ TimeTaken=$TimeTaken$</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Let me know if this helps you!

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-05-2018 12:01 AM

Hi @rajeswariramar,

In your you can achieve your requirement by adding cell level drilldown in table view.
Add below drilldown code in your table view.

Can you please try below code?

<table>
    <search>
        <query>index=* sourcetype=VM_STATS  |  stats count as TOTAL, count(eval(Status="SUCCESS")) as SUCCESS, count(eval(Status!="SUCCESS")) as FALED , max(TimeTaken) as MAXRESPONSE, MIN(TimeTaken) as MINRESPONSE, avg(TimeTaken) as AVGRESPONSE by IBD | sort 10 -SUCCESS</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
        <condition field="IBD">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="TOTAL">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="SUCCESS">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="FALED">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" Status!="SUCCESS" &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MAXRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="MINRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
        <condition field="AVGRESPONSE">
            <link target="_blank">search?q=index=* sourcetype=VM_STATS IBD="$row.IBD$" TimeTaken=* &amp;earliest=-24h@h&amp;latest=now</link>  
        </condition>
    </drilldown>
</table>

Note: I have hard coded last 24 hrs in timestamp. So replace it with your token.

Thanks
Kamlesh

0 Karma
Reply
Solved! Jump to solution

rajeswariramar
New Member
‎01-05-2018 02:20 AM

Thank u.. its working now ..

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-05-2018 03:36 AM

Glad to help you.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...