This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Converting splunk query to DQL timeseries

esm9374_hca
Newcomer

‎09 Sep 2024 03:34 PM

I am in process of rebuilding all of our Splunk Dashboards over to Dynatrace Dashboards. A lot of our Dashboards are asking us for the latest value. Below is the splunk query. 

| mstats latest(vault.token.count.by_auth.value) as count where `vault_telemetry` AND cluster=* AND namespace IN ("*") by cluster,namespace,auth_method span=10m
| stats sum(count) as count by _time,auth_method
| eventstats latest(_time) as latesttime
| where _time == latesttime
| stats max(count) as count by auth_method

 

Maybe I am approaching this issue wrong but I would think you would need to do a time series for and some how pull the latest value in like an array and then do something with it to make this happen. Any advice would greatly be apperciated.

 

 

Labels:
0 Kudos
Reply
1 REPLY 1

Fin_Ubels
Dynatrace Champion
Dynatrace Champion

‎10 Sep 2024 12:11 AM

Hey esm, if you want to pull the latest value from a timeseries you could do something like:

timeseries count = count(dt.host.availability)
| fields count = arrayLast(count)

 This would return 1 field called count containing the latest value. For more information regarding available array functions including examples you can find them here: https://docs.dynatrace.com/docs/platform/grail/dynatrace-query-language/functions/array-functions

Reply
Ask a question

Featured Posts