Hi Team,
I have got different sites seperated according to the tiers having different threshold values
Ex
Mumbai-Tier1
Cebu Tier2
Gurgoan tier2
Hyderabad Tier 3
Tier threshold valu=70%
Tier threshold value=80%
Tier 3 threshold valu=90%
Right now i have a combo box from whihc i can select a tier and my chart will display graphs for sites in that tier
but now i want how many sites network consumption is excedding particaular threshold how can i change according to the tier selected
Here is search query where i want to change my threshold according to the tier slected in the combo box
source="C:\Network Analysis\tier1\rusxwalmartedc S0-0-0.csv" OR source="C:\Network Analysis\tier1\rdinmumbai010-7-1 S2-0.csv" OR source="C:\Network Analysis\tier1\rdgbreddit010-1-2 Gig0-2.csv" OR source="C:\Network Analysis\tier2\rdingurgao010-5-1 f0-1.csv" OR source="C:\Network Analysis\tier3\rdinsecund010-5-2 Gig0-0.csv" OR source="C:\Network Analysis\tier2\rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9|where result>seventyperc*|stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename
Add a case
statement like this:
... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...
So it would be like this:
source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename
Add a case
statement like this:
... | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | ...
So it would be like this:
source="C:Network Analysistier1rusxwalmartedc S0-0-0.csv" OR source="C:Network Analysistier1rdinmumbai010-7-1 S2-0.csv" OR source="C:Network Analysistier1rdgbreddit010-1-2 Gig0-2.csv" OR source="C:Network Analysistier2rdingurgao010-5-1 f0-1.csv" OR source="C:Network Analysistier3rdinsecund010-5-2 Gig0-0.csv" OR source="C:Network Analysistier2rdphcebu010-5-1 f0-2-0.csv"host="SEZ00VVM-153" sourcetype="csv" | rex field=source "(?<country>.*?)$"|lookup datacentre.csv country OUTPUT receivebandwidth sitename tier|search tier=tier1|eval Intraffic=IN/1048576 |eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|eval seventyperc= receivebandwidth*0.7 |eval eightyperc=receivebandwidth*0.8 |eval nightyperc=receivebandwidth*0.9 | eval thresholdValue=case(tier="tier1", 70, tier="tier2", 80 , tier="tier3", 90, true(), 0) | where result>thresholdValue |stats Values(result) AS Inout,values(seventyperc) AS 70%,Values(eightyperc) AS 80%,values(nightyperc) AS 90%,values(receivebandwidth) as 100% count as nc by sitename _time |bin _time span=1d|stats sum(nc) as NOC by sitename _time|eval NOH =NOC*5/60|timechart span=1d values(NOH) AS total by sitename
that worked thank u so much ...
Hi deepthi5,
I believe what you're looking for is the ability to define new tokens based on the conditional input choices. The Splunk documentation has a good example here:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/PanelreferenceforSimplifiedXML#condition_.28in...
Here's a run anywhere example also...
<form>
<label>Language</label>
<fieldset submitButton="false">
<input type="radio" token="myChoice" searchWhenChanged="true">
<label>Language Choice</label>
<choice value="lang1">English</choice>
<choice value="lang2">Spanish</choice>
<choice value="lang3">French</choice>
<change>
<condition label="English">
<set token="myConditionalChoice">"Hello, world"</set>
<set token="mylang">English</set>
</condition>
<condition label="Spanish">
<set token="myConditionalChoice">"Hola mundo"</set>
<set token="mylang">Espagnol</set>
</condition>
<condition value="lang3">
<set token="myConditionalChoice">"Bonjour le monde"</set>
<set token="mylang">Français</set>
</condition>
</change>
<default>lang1</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>
| stats count |eval greeting=$myConditionalChoice|s$ | eval out = "$mylang$" . ": " . greeting | fields out
</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
Hopefully, you'll be able use these example to modify your search form to match your needs.