All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to create a macro to do this?

metersk
Path Finder
‎12-05-2014 12:02 PM

We use Splunk as our A/B platform. Our test buckets are called "studies", and within each study we have "groups", which are the different A/B tests.

Anytime we want to query a study to compare results across all the groups within the study we have to create a query like the following:

msg=single_message reply=1 plat=2 OR plat=0 | extract kvdelim="=" limit=200 pairdelim="," | makemv delim="," studies | chart count by studies,is_p | rex field=studies "(?.)---(?.)" | where study="lab"

The bolded text above is what is required to break out a study by its groups. Is there any way to turn this into a macro, with the caveat that within where study="lab" where "lab" and "chart count by studies,is_p" can be changed to anything (because we have multiple studies)?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-05-2014 05:13 PM

If all of the events are the same sourcetype, you could do this in props.conf and transforms.conf, and not have to put it into your searches at all...

Assume the sourcetype name is "study":

props.conf

[study]
KV_MODE=auto
REPORT-study1=extract-study-fields

transforms.conf

[extract-study-fields]
MV_ADD = true
DELIMS = ",", "="
FORMAT = $1::$2

I think this may be all you need. Your search would then be

msg=single_message reply=1 plat=2 OR plat=0 
| chart count by studies,is_p  
| where isnotnull(mvfind(studies,"lab"))

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-05-2014 05:13 PM

If all of the events are the same sourcetype, you could do this in props.conf and transforms.conf, and not have to put it into your searches at all...

Assume the sourcetype name is "study":

props.conf

[study]
KV_MODE=auto
REPORT-study1=extract-study-fields

transforms.conf

[extract-study-fields]
MV_ADD = true
DELIMS = ",", "="
FORMAT = $1::$2

I think this may be all you need. Your search would then be

msg=single_message reply=1 plat=2 OR plat=0 
| chart count by studies,is_p  
| where isnotnull(mvfind(studies,"lab"))
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...