Splunkers!
Need your help again...
I need to plot the result of a standard events search into a static chart template, basically all the applications belonging to a specific domain vs Weeks in the observation period, see example below
App1
App2
The event search provide me only a subset of the combinations i have finally to plot in a table (all the empty combinations will be set to 1).
How can i do it?
My first idea was to append the the events all the list of AppIDs and timerange I need to plot, but:
1- I'm not able to do it (just leverage on the append function?)
2- It seems to me not a very clever idea...
Any help will be really appreciated,
tks in advance!
Hi CarmineCalo,
could you share few additional information?
Bye.
Giuseppe
Ciao Giuseppe, Apps are around 4k.
They evolve over the time, but i assume to manage their domain through a lookup (they can be considered static during the search).
The final plot of the search will look like something like this one (I need to evaluate App unavailability time)
| stats sum(incident_unavailability) as Unavailability by dateweek_year, AppID
Currently this search works pretty fine, but it reports only dateweek_year and AppIDs that are part of the events (e.g. only ~2k AppIDs vs 4k total), and in general I'd like to have the full picture also when selecting different time ranges (at least for AppIDs, while dateweek_year should be limited to the time range selected)
I want that the final stats would include the full domain of AppIDs and dateweek_year that i need to monitor.
Tks!
Carmine
Ciao Carmine,
If you have a full list of dateweek_year, AppID, you can build a lookup (e.g. my_lookup.csv) with all these values and then use a search like this:
your_main_search
| stats sum(incident_unavailability) as Unavailability by dateweek_year AppID
| append [ | inputlookup my_lookup.csv | eval count=0 | fields dateweek_year AppID count ]
| stats sum(incident_unavailability) as Unavailability by dateweek_year AppID
In this way Unavailability=0
means that you haven't events.
After you can filter your results to show all the results or only errors, you can also display results in graphic mode (use Splunk 7.x Dashboard Examples App).
Bye.
Giuseppe
Almost correct.
One more issue, domain for AppIDs and dateweek_year are in two different files.
How do i have to modify the append?
Last resort will be do create, manually, the permutation b/w AppIDs and dateweek_year and generate a new lookup table.
Tks in advance!
Carmine
Hi Carmine,
Let me understand: You have AppIDs and timerange in two tables and you want all the possible combination between the., is it correct?
The easiest way is to create a scheduled search to create Your lookup and then use the above search.
Bye.
Giuseppe
Correct, AppIDs and Timerange are in two different tables.
How can i combine the two domains?
I've no clue about the function to be called...
Tks!
Carmine