Hi everyone,
I am using splunk for about two week at my work and I have task to build dashboard. I have splunk query that extracts data from 2 different events but in the same source. The events share common ID. I am trying to combine the events based on the ID and represent the data from both events in a dashboard. I tried with multisearch and by. None of them worked. Can anyone give me a hit on how to approach this problem? Here is the query and a screen shot from the result:
index=?????? sourcetype=???? host=????? source=????????? "Number of Clients" OR "Duration:: in "
| rex field=_raw "Number of Clients: (?<ClientCount>\d+)"
| rex field=_raw "cid:(?<CID>\w+-\w+-\w+-\w+-\w+)"
| rex field=_raw "Duration:: in (?<Duration>\d+.\d+)"
| eval Size = if(ClientCount == 0, "Not part of association", if(ClientCount <= 3, "Small", if(ClientCount <= 10 ,"Medium",if (ClientCount > 10, "Large", ClientCount))))
| table Size Duration CID
... View more