- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to set priority for each server based on their...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Currently I can search out the tablet name which has no data sent for more than 24 hours with below command 1. However, I also want to get the priority of them based on their performance (with command 2). Which means higher performance owns higher priority, even their silence hour may not be the highest.
could you please kindly guide me on how to combine these two commands together to get a final list, which is sorted by priority already.
Command 1:
shop_tags= "*wumart*" interaction_count="*" LIVE
|stats latest(_time) AS lastReportTime BY mount_name
| eval silenceSeconds = now() - lastReportTime
|eval silenceHour = silenceSeconds/3600
| where silenceHour > 24
|table mount_name, silenceHour
|eval silenceHour =round(silenceHour,1)
|sort -silenceHour
Command2:
shop_tags= "*wumart*" interaction_count="*" LIVE
|stats sum(interaction_count) AS sum_interaction_count BY mount_name
|sort -sum_interaction_count
Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have no idea what you mean by "priority" since there are no fields by that name. However, this will combine the two commands:
shop_tags= "*wumart*" interaction_count="*" live
| stats latest(_time) as lastReportTime sum(interaction_count) as sum_interaction_count by mount_name
| eval silenceSeconds = now() - lastReportTime
| where silenceHour > 86400
| sort -silenceHour -sum_interaction_count
| fieldformat silenceHour=tostring(silenceHour,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have no idea what you mean by "priority" since there are no fields by that name. However, this will combine the two commands:
shop_tags= "*wumart*" interaction_count="*" live
| stats latest(_time) as lastReportTime sum(interaction_count) as sum_interaction_count by mount_name
| eval silenceSeconds = now() - lastReportTime
| where silenceHour > 86400
| sort -silenceHour -sum_interaction_count
| fieldformat silenceHour=tostring(silenceHour,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Lguinn,
Priority is defined by the performance of command2. According to the second command, i can get the interaction count for each tablet, so those who has higher performance, will get higher priority, so command1 can display according to that .
Do you have any idea on this situation?
Thanks so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then change the sort to
| sort -sum_interaction_count -silenceHour
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
