Splunk Search

Can not use earliest and eval together with map command

hanikawadhwa
Explorer

Hi Splunkers,

How can i use earliest time and eval command together with a map command.
Earliest value and Day of the week is provided in a lookup table. In this case Am using eval for _time to get the day of the week sothat it can be mapped with the lookup table column (day of the week).

I tried some ways but could not use earliest and eval together with map.

Hope my question can be understood.

TIA

1 Solution

woodcock
Esteemed Legend
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please describe your use case. What problem are you trying to solve? Say what you want to do, not how you want to do it. Pseudo-code may help clarify what you want to do.

---
If this reply helps you, Karma would be appreciated.
0 Karma

hanikawadhwa
Explorer

Hi,

Thanks for reverting.I have a lookup table containing more than 1000 assets which ha stendenct to open an alarm

asset_name,DESCRIPTION,Bin_Duration,Bin_Size,Day
COM,Computer,5,span=1h,Monday
PA,Personal,10,span=2h,Saturday

Need to calculate average and threshold(average+3*standard deviation) to check any violation. if the alarm count is more than threshold, there is rule violation. But to calculate average and threshold for each asset, only their corresponding Days will be taken into account. Eg. COM, 5 Mondays will be considered to calculate average and threshold whereas for PA, 10 Saturdays.

I prepared a query

index=indx|lookup main asset_name as ASSET_NAME DESCRIPTION as DESCRIPTION|dedup ASSET_NAME DESCRIPTION | table ASSET_NAME, DESCRIPTION, Bin_Size, Bin_Duration, Day| map search="search index=indx earliest=-1d@h-$Bin_Duration$d@h ASSET_NAME=$ASSET_NAME$ DESCRIPTION=$DESCRIPTION$|timechart $Bin_Size$ count(Alarm) as Alarm|timewrap 1d series=short 

| addtotals Alarm_s* fieldname=mysum

| eval avg1=(mysum-Alarm_s0)/$Bin_Duration$| foreach Alarm*

    [eval diff_<<FIELD>>=pow('<<FIELD>>'-avg1,2)]

| addtotals diff* fieldname=std1

| eval std1=std1-diff_Alarm_s0

| eval std1 = pow(std1/$Bin_Duration$,0.5)| eval threshold= avg1+3*std1

| eval rule1=if(Alarm_s0 > threshold,1,0)

| eval assetName=$ASSET_NAME$|eval DESCRIPTION=$DESCRIPTION$ " 
|rename assetName as ASSET_NAME avg1 as Average threshold as Threshold |table _time ASSET_NAME DESCRIPTION rule1.

In this query, I could not use Day field from lookup table.
If there is any other way to solve my problem, please suggest.
If I hard code the same query for a particular asset, its working properly.

TIA

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...