- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Disabling the effect of wildcard in a Query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All ,
I have this query :
index=no host=los* sourcetype= plp ( path=/desktop /pl/* ) OR ( path=/mobile/pl/* ) | stats perc95(responseTime) as "95th Perc Response Time" by path
I Want the result to come like this as shown below( coagulated response time for the desktop and mobile separately ) :
Path 95th Perc Response Time
/desktop/pl/* 234
/mobile/pl/* 2344
But the result is showing all the url's in path section just because i have used a wildcard in that place .
how to modify this query to get the expected the result. ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this instead (NOT TESTED so there might be typos):
index=no host=los* sourcetype= plp (path="/desktop/pl/*" OR path="/mobile/pl/*")
| eval pathSummary = if(match(path, "/desktop/pl/*"), "/desktop/pl/*", "/mobile/pl/*")
| stats perc95(responseTime) as "95th Perc Response Time" by pathSummary
The second line groups your paths based on your preferences and then assigns that into a new field that you can use in your stats.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you have only two paths (or systems) i.e. desktop and mobile in your base search. Following should work:
index="no" host="los*" sourcetype="plp" ( path="/desktop/pl/*" ) OR ( path="/mobile/pl/*" )
| eval path=if(match(path,"desktop"),"desktop","mobile")
| stats perc95(responseTime) as "95th Perc Response Time" by path
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh too late. You already got your answer 🙂
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hahahha Thanks you Niket too....i guess logic is same in both . Thanks again 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this instead (NOT TESTED so there might be typos):
index=no host=los* sourcetype= plp (path="/desktop/pl/*" OR path="/mobile/pl/*")
| eval pathSummary = if(match(path, "/desktop/pl/*"), "/desktop/pl/*", "/mobile/pl/*")
| stats perc95(responseTime) as "95th Perc Response Time" by pathSummary
The second line groups your paths based on your preferences and then assigns that into a new field that you can use in your stats.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot 🙂 ..it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shabdadev, in order to avoid your code from getting escaped, use the code button (101010) while posting your query. Please try to Edit your question and re-post with code button query and sample table.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Niket i have modified the post ..please see again
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
