Hi Team,
I am using the below command to get the last 4 weeks of data solutionType=EML.
```
index=sample1 "com.URL.connector.filter" "uri=*/sample/execute" "responseStatus=200" earliest=-35d@d latest=-6h@h | extract kvdelim=":" pairdelim="{,}" | search solutionType=EML | timechart span=6h count by solutionType | timewrap 1w
```
This above command will give me 4 weeks data to compare for solutionType=EML.
With the above output data, I further pipe the command to get some sample data crossing threshold.
```
eval maxc=max(EML_4weeks_before, EML_3weeks_before, EML_2weeks_before,EML_1week_before)| eval minc=min(EML_4weeks_before, EML_3weeks_before, EML_2weeks_before,EML_1week_before) | eval avg_after_outlier=round((((EML_4weeks_before + EML_3weeks_before + EML_2weeks_before + EML_1week_before) - (minc + maxc)) / 2),0) | eval var_percentage=abs(round(((EML_latest_week - avg_after_outlier)/avg_after_outlier)*100,2)) | rename avg_after_outlier as EML_previous_week | fields _time, EML_previous_week, EML_latest_week, var_percentage | sort - _time | head 1 | where var_percentage > 99 |
```
My requirement needs to get this Splunk query for all solutionType=*.
we have around 20 solutionType.
for example : CHAT, CALL, COM, CIN
Could you help me with the single Splunk query for solutionType=*?
Thanks
↧