Databases Reference
In-Depth Information
Let's step through the new queries. The initial query is the same:
sourcetype="impl_splunk_gen" loglevel=error | top user
The next query may seem strange, but there's a good reason for this:
sourcetype="impl_splunk_gen" loglevel=error user="$user$"
| bucket span=30m _time
| stats count by logger _time
If you look back to
Chapter 5
,
Advanced Search Examples
, we used
bucket
and
stats
to slice events by
_time
and other fields. This is a convenient way to break down
events for post processing, where one or more of the post-process queries uses
timechart
. This query produces a row with the field
count
for every unique
value of
logger
in each 30-minute period.
Post processing has a limit of 10,000 events. To accommodate this
limit, all aggregation possible should be done in the initial query.
Ideally, only what is needed by all child queries should be produced
by the initial query. It is also important to note that all fields needed
by post-process queries must be returned by the initial query.
The first
HiddenPostProcess
builds a field for a module we haven't used
yet,
SingleValue
, which takes the first value it sees and renders that value
in a rounded rectangle.
stats sum(count) as count by logger
| sort -count
| head 1
| eval f=logger + " is most common (" + count + ")"
| table f
The query is additive, so the full query for this module is essentially:
sourcetype="impl_splunk_gen" loglevel=error user="bob"
| bucket span=30m _time
| stats count by logger _time
| stats sum(count) as count by logger
| sort -count
| head 1
| eval f=logger + " is most common (" + count + ")"
| table f
The remaining
SingleValue
modules do similar work to find the count of unique
loggers, the max errors per hour, and the average errors per hour. To step through
these queries, simply copy each piece and add it to a query in search.
Search WWH ::
Custom Search