Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Better format to log event so we could expand and then provide metrics

pavanml
Explorer
‎04-22-2022 07:44 AM

Hi All. We have a need to log only one event in Splunk for each Case_ID.

However a single case can have multiple problems and solutions entered by the user in our Website. And based on event in Splunk we need to publish some metrics in the dashboard. Need suggestion for better way to log Problem solution combination in a single event for a case_id; which can help regenerate the table format within Splunk using query effectively to further populate the dashboard metrics shown in below screenshots. Please assist.

pavanml_0-1650638374212.png

pavanml_1-1650638470700.pngpavanml_2-1650638576435.png

 

Labels (3)
0 Karma
Reply

pavanml
Explorer
‎04-27-2022 06:14 AM

Hi.. The first image pretty much explains about the data and the way we want to log the values for each case_id having multiple problems and solutions.
Looking for a format or structure to log pairwise combination of all the problems and its corresponding solutions w.r.t each case as one event, so that we can still unpack the table as shown in the second image. From which the dashboard metrics in the third image could be generated.
And as only onetime processing occur for each case we might not get multiple events on same case. Even though, we do maintain a date value as well in the event, so that the latest event can be considered in case of multiple events on same case.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2022 08:10 AM

Not sure what the ask is here.

Do you want to know how to parse your existing (proposed?) log format from the first graphic, in order to be able to generate the tables in the other graphics?

Or, do you want suggestions about the log format you might use (in place of the format in the first graphic)?

Also, if you are going to stick with the format in the first graphic, does your website generate a new event for each case when a new solution to an existing or new problem is identified for a case and therefore do your events have a timestamp so that only the latest event for each case can be considered?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...