topic How to create this search? in Getting Data In

How to create this search?

NanSplk01 — Wed, 15 Feb 2023 17:09:11 GMT

I need to create a search (or an embedded search that feeds data to another search. What I'm trying to get is a search like |tstats values(host) where index=* by index which might feed to a spread sheet that has server and host and then another search on top of it to match up host with index. (NOT indexers)

|tstats values(host) where index=* by index

Re: How to create this search?

nyc_jason — Fri, 17 Feb 2023 15:37:08 GMT

Hello, so are you looking to output a table of host and index to show what hosts are in each index? If so, try this: |tstats count where index=* by host index|fields - count

Re: How to create this search?

NanSplk01 — Fri, 17 Feb 2023 19:53:24 GMT

Thank you, used part of this with a search, but had to get some assistance. The final search looked a little like this--did not use two searches, just one:

index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=lower(if(isnull(hostname), sourceHost,hostname))
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| join sourceHost
[|tstats values(host) where index=* NOT index=*** NOT index=***| rename values(host) as host
| mvexpand host
| dedup host index
| eval sourceHost= lower(host)
| fields - host]
| dedup sourceHost connectType version
| table sourceHost connectType version
| sort index

Hopes this helps anyone else who needs to combine information from two searches.