I have two separate splunk queries:
1st Query : Outputs unique user count in last 24 hours
2nd Query : Outputs unique users count in last 24 hours in geo = US
I want to create a timechart that will show , a line chart with % of user everyday from US.
How can this be achieved.
You can join the two queries by using :
|
So your query can look like this:
{firstQuery} as countUS| {secondQuery} as countTotal | eval perc=countUS/countTotal
You can use a conditional to count those from US
Example query:
index=data | timechart dc(user) as dc_user, dc(eval(if(geo=US,user,NULL))) as us_user | eval perc_us=round(us_user/dc_user*100,2) | table _time, perc_us
Alternatively you can use the SPL join command but that would be less efficient as it would have to read the data twice and join the results.
Can you anonymize your data, and show the query here? There's lots of ways to do this in Splunk, but we will need a bit more to go on.
for example
Query: index=myindex sourcetype=mySourcetype | stats count dc(ip) as userTotal | append [ index=myindex sourcetype=mySourcetype region=US | stats dc(ip) as USTotal]
Related
In a Rails app, I have a model named TopicEdition with 2 attributes:
edition and an associated Topic.
The topic_editions table may look like
id | edition | topic_id
1 | 1 | 1
2 | 2 | 1
3 | 1 | 2
Now I need to get the list of TopicEdition having the highest edition for each topic.
Referring the table above, I should get back record with id 2 and 3.
I have tried to play around with group and maximum but without success.
My last attempt has been
TopicEdition.group(:topic_id).maximum(:edition)
How can I get what I need?
The followings work but it is kind of ugly
TopicEdition.find_by_sql 'SELECT * FROM topic_editions WHERE (topic_id, edition)
IN (SELECT topic_id, MAX(edition) FROM topic_editions GROUP BY topic_id)'
I think the easiest would be to use normal SQL to sort your query like this:
TopicEdition.group(:topic_id).order('MAX(edition)')
That will return only the last edition of each topic.
I have a database setup similarly to this
The output of
sqlite> PRAGMA table_info(mytable);
is
0|id|INTEGER
1|mydatetime|text
And it looks like this
|__id__|_____mydatetime_____|
| 0 | 2016-10-11 12:10:22|
| 1 | 2016-10-11 12:11:22|
| 2 | 2016-10-12 10:45:45|
| 3 | 2016-10-12 11:12:12|
In Ruby on Rails, I'd like to select all of the rows with the same date (ignoring time). And I'm looping through them, to do something for every date. For example:
If I had the same database, and instead of DateTime it was formatted as just the Date I would do something similar to below:
distinctDate = MyTable.select(:mydatetime).distinct.to_a
distinctDate.each do |x|
put x
end
But how can I write the select with the distinct, and it also ignore the time?
MyTable.pluck("distinct date(updated_at)")
That will give you back an array of distinct dates, then you can process them however you need to in the application.
I'd use sqlite's date() function to get only the date part of DateTime field.
In your example:
distinctDate = MyTable.select('date(mydatetime)').distinct.to_a
And if you need only array of column values instead of rows, you can use ActiveRecord's pluck() method:
distinctDate = MyTable.distinct.pluck('date(mydatetime)')
i need your help to finish my delphi homework.
I use ms access database and show all data in 1 dbgrid using sql. I want to show same column but with criteria (50 record per column)
i want select query to produce output like:
No | Name | No | Name |
1 | A | 51 | AA |
2 | B | 52 | BB |
3~50 | | 53~100| |
Is it possible ?
I can foresee issues if you choose to return a dataset with duplicate column names. To fix this, you must change your query to enforce strictly unique column names, using as. For example...
select A.No as No, A.Name as Name, B.No as No2, B.Name as Name2 from TableA A
join TableB B on B.Something = A.Something
Just as a note, if you're using a TDBGrid, you can customize the column titles. Right-click on the grid control in design-time and select Columns Editor... and a Collection window will appear. When adding a column, link it to a FieldName and then assign a value to Title.Caption. This will also require that you set up all columns. When you don't define any columns here, it automatically returns all columns in the query.
On the other hand, a SQL query may contain duplicate field names in the output, depending on how you structure the query. I know this is possible in SQL Server, but I'm not sure about MS Access. In any case, I recommend always returning a dataset with unique column names and then customizing the DB Grid's column titles. After all, it is also possible to connect to an excel spreadsheet, which can very likely have identical column names. The problem arrives when you try to read from one of those columns for another use.
I am trying to get sql query output in DBfit using i.e. !|Execute|select * from abc| but don't know how it will display in DBfit.
I think that you are looking for the Inspect Query table (you can find reference docs about it here).
!|Inspect Query|select * from abc|
When executed, this will print the resultset of the query.
First, the execute fixture is typically used for actions that do not return data, e.g.:
!|Execute|insert into tablename values (…)|
or
!|Execute|update tablename st... where...|
However, even some non-data actions have more specific commands. The above update can be done with, for example, with:
!|Update|tablename |
|field_to_change=|field_to_select|
|new value |matching value |
For returning data, use the query fixture
!|query|select Id, BatchNum from tablename|
|Id |BatchNum? |
|1 |>>Bat1 |
|2 |<<Bat1 |
As shown, just put your field names in the row below the fixture, then your data rows below that.
I have a query used for statistical purposes. It breaks down the number of users that have logged-in a given number of times. User has_many installations and installation has a login_count.
select total_login as 'logins', count(*) as `users`
from (select u.user_id, sum(login_count) as total_login
from user u
inner join installation i on u.user_id = i.user_id
group by u.user_id) g
group by total_login;
+--------+-------+
| logins | users |
+--------+-------+
| 2 | 3 |
| 6 | 7 |
| 10 | 2 |
| 19 | 1 |
+--------+-------+
Is there some elegant ActiveRecord style find to obtain this same information? Ideally as a hash collection of logins and users: { 2=>3, 6=>7, ...
I know I can use sql directly but wanted to know how this could be solved in rails 3.
# Our relation variables(RelVars)
U =Table(:user, :as => 'U')
I =Table(:installation, :as => 'I')
# perform operations on relations
G =U.join(I) #(implicit) will reference final joined relationship
#(explicit) predicate = Arel::Predicates::Equality.new U[:user_id], I[:user_id]
G =U.join(I).on( U[:user_id].eq(I[:user_id] )
# Keep in mind you MUST PROJECT for this to make sense
G.project(U[:user_id], I[:login_count].sum.as('total_login'))
# Now you can group
G=G.group(U[:user_id])
#from this group you can project and group again (or group and project)
# for the final relation
TL=G.project(G[:total_login].as('logins') G[:id].count.as('users')).group(G[:total_login])
Keep in mind this is VERY verbose because I wanted to show you the order of operations not just the "Here is the code". The code can actually be written with half the code.
The hairy part is Count()
As a rule, any attribute in the SELECT that is not used in an aggregate should appear in the GROUP BY so be careful with count()
Why would you group by the total_login count?
At the end of the day I would simply ask why don't you just do a count of the total logins of all installations since the user information is made irrelevant by the outer most count grouping.
I don't think you'll find anything as efficient as having the db do the work. Remember that you don't want to have to retrieve the rows from the db, you want the db itself to compute the answer by grouping the data.
If you want to push the SQL further into the database, you can create the query as a view in the database and then use a Rails ActiveRecord class to retrieve the results.
In the end imo the SQL syntax is way more readable. This arel stuff is just slowing me down all the time when I only need just a tiny bit more complexity. It's just another syntax you have learn, not worth it imo. I'd stick to SQL in these cases.