Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do postprocessing without a join?

Mohsin123
Path Finder
‎07-28-2018 03:50 AM

index=abc caller-id IN ("8179f4c86", "926bbcf8957a") component=Chatbot 

| join transaction id 
    [ search index=pqr component=$MSComp$
    logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout")] 
| timechart span=$span$ count(eval(status="ok")) as Success count(eval(status="error")) as Error ,count(status) as total 
| eval Success=round((Success/total)*100,2) 
| eval Error=round((Error/total)*100,2) 
| eval failure=100-(Success+Error) 
| fields _time, failure ,Error,Success

I have lots of panels where this join is made.
Please help me with postprocessing without a join. 

condition is : transaction -ids for the caller-ids in abc index is ame as  transaction-ids in index pqr
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2018 07:34 AM

Hi shraddhamuduli
sometimes you can replace join or transaction with stats command, try something like this:

(index=abc (caller-id="8179f4c86" OR caller-id="926bbcf8957a") component=Chatbot)
OR (index=pqr component=$MSComp$ logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout"))
| bin _time span=$span$
| stats values(status) AS status BYtransaction-id _time
| timechart  count(eval(status="ok")) as Success count(eval(status="error")) as Error count(status) as total 
| eval Success=round((Success/total)*100,2) 
| eval Error=round((Error/total)*100,2) 
| eval failure=100-(Success+Error) 
| fields _time failure Error Success

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-28-2018 10:51 AM

Are you saying that the first search is your base search and the rest of your stuff below is your post-process search and furthermore that you have many panels with similar post-process searches which all start with the same |join []? If so, why not move the join to the base search?

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2018 07:34 AM

Hi shraddhamuduli
sometimes you can replace join or transaction with stats command, try something like this:

(index=abc (caller-id="8179f4c86" OR caller-id="926bbcf8957a") component=Chatbot)
OR (index=pqr component=$MSComp$ logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout"))
| bin _time span=$span$
| stats values(status) AS status BYtransaction-id _time
| timechart  count(eval(status="ok")) as Success count(eval(status="error")) as Error count(status) as total 
| eval Success=round((Success/total)*100,2) 
| eval Error=round((Error/total)*100,2) 
| eval failure=100-(Success+Error) 
| fields _time failure Error Success

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎07-28-2018 10:49 AM

Thanks
Just one concern :

The OR will give results belonging to caller-id in index=abc + the results belonging to index=pqr

here pqr might contain data belonging to other caller-ids as well

The flow is like

the data belonging to caller-ids in first index and the data belonging to same caller-id belonging to 2nd index is same on the basis of transaction id

the caller-id value changes when the data flows from index abc to index pqr

note, pqr is the 2nd layer(or entry point) to index layer abc

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...