Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to give threshold values dynamically in the search query

deepthi5
Path Finder
‎08-21-2015 12:54 AM

Hi Team,

I have got different sites seperated according to the tiers having different threshold values
Ex

Mumbai-Tier1

Cebu Tier2
Gurgoan tier2

Hyderabad Tier 3

Tier threshold valu=70%
Tier threshold value=80%
Tier 3 threshold valu=90%

Right now i have a combo box from whihc i can select a tier and my chart will display graphs for sites in that tier
but now i want how many sites network consumption is excedding particaular threshold how can i change according to the tier selected

Here is search query where i want to change my threshold according to the tier slected in the combo box

source="C:\Network Analysis\tier1\rusxwalmartedc S0-0-0.csv" OR source="C:\Network Analysis\tier1\rdinmumbai010-7-1 S2-0.csv" OR source="C:\Network Analysis\tier1\rdgbreddit010-1-2 Gig0-2.csv" OR source="C:\Network Analysis\tier2\rdingurgao010-5-1 f0-1.csv" OR source="C:\Network Analysis\tier3\rdinsecund010-5-2 Gig0-0.csv" OR source="C:\Network Analysis\tier2\rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9|where result>seventyperc*|stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-27-2015 06:35 AM

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-27-2015 06:35 AM

Add a case statement like this:

... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...

So it would be like this:

source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename
Reply
Solved! Jump to solution

deepthi5
Path Finder
‎08-31-2015 11:37 PM

that worked thank u so much ...

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎08-23-2015 07:44 PM

Hi deepthi5,

I believe what you're looking for is the ability to define new tokens based on the conditional input choices. The Splunk documentation has a good example here:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/PanelreferenceforSimplifiedXML#condition_.28in...

Here's a run anywhere example also...

<form>
  <label>Language</label>
  <fieldset submitButton="false">
    <input type="radio" token="myChoice" searchWhenChanged="true">
      <label>Language Choice</label>
      <choice value="lang1">English</choice>
      <choice value="lang2">Spanish</choice>
      <choice value="lang3">French</choice>
      <change>
        <condition label="English">
          <set token="myConditionalChoice">"Hello, world"</set>
          <set token="mylang">English</set>
        </condition>
        <condition label="Spanish">
          <set token="myConditionalChoice">"Hola mundo"</set>
          <set token="mylang">Espagnol</set>
        </condition>
        <condition value="lang3">
          <set token="myConditionalChoice">"Bonjour le monde"</set>
          <set token="mylang">Français</set>
        </condition>
      </change>
      <default>lang1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
          | stats count |eval greeting=$myConditionalChoice|s$ | eval out = "$mylang$" . ": " . greeting | fields out
         </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

Hopefully, you'll be able use these example to modify your search form to match your needs.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...