topic Re: Combining searches in Splunk Search

Combining searches

TBo123 — Fri, 22 Aug 2014 09:23:50 GMT

Hello,

I want to combine some search results. I have one base search from there I need to do several searches, but at the end I need a single search result.

my base search | search code="1" ..do something

my base search | search code="2" ..do the same

my base search | search code="3" ..do also the same

There is always the same thing to do, but I need to separate the searches for calculating the time between events with the same code. Is it possible to do this in a single search, because there are 250 different codes. Something like: my base search | for every value of code do this At the end I need a table with all codes in it.

Thanks.

Re: Combining searches

martin_mueller — Fri, 22 Aug 2014 10:03:16 GMT

Do post what you're doing with each code.

Re: Combining searches

Ayn — Fri, 22 Aug 2014 10:07:47 GMT

You really don't provide any details on what you're trying to achieve so it's hard to give really useful advice, but you could look into the map command which does something similar to what you're describing.

That said, it's highly likely you could find an even better solution that doesn't involve looping searches like this. If you described your exact problem, your data, your searches more chances are we can help you out with finding alternate solutions.

Re: Combining searches

TBo123 — Mon, 28 Sep 2020 17:23:03 GMT

In my base search I calculate the code and group events which occur within some milliseconds. They will get the same ID. The next step is to look after events that have the same code and got wrong IDs in the first step, because they occur within some seconds, they should also get the same ID. I implement such a search for one code in that way:

first step, my base search:

host=Host_MA  SEVERITY != FATAL  | eval Zusatz=case(match(_raw,"VOLTAGE"),"VOLT",                   match(_raw,"TEMPERATURE"),"TEMP", match(_raw,"CURRENT"),"CURR", match(_raw,"power module fault"),"POMF")               | eval Zusatz=if(Zusatz!="",Zusatz,"NULL") | eval Code=MSG_ID + ";" + Subcomponent + ";"  + SEVERITY + ";" + Zusatz| delta _time p=1 AS diff | eval diff=round(-diff,3) | streamstats current=f window=1 first(Code) as prevcode | eval ID=case(isnull(diff),1,diff>0.003,1,1=1,0) | accum ID |

second step, several search with one code:

search Code="KERN_2205;bg_subcomp_linux;WARN;NULL" | delta _time p=1 AS diff2 | eval diff2=round(-diff2,3) | eval ID2=case(isnull(diff2),1,diff2>1.0,1,1=1,0) | accum ID2 | eventstats first(ID) as temp_id1 by ID2 | fields - ID, ID2, diff2| rename temp_id1 as ID

After that search I only get events with Code="KERN_2205;bg_subcomp_linux;WARN;NULL" but I look for a way to add the results of the next search with code="..." but there are over 250 different codes, perhaps there is an easier way?

Re: Combining searches

TBo123 — Mon, 28 Sep 2020 17:23:06 GMT

Re: Combining searches

TBo123 — Fri, 22 Aug 2014 11:06:55 GMT

I tried map but I got no results?! map search="search mycode=$code$ and the rest of my search"

Re: Combining searches

martin_mueller — Fri, 22 Aug 2014 11:42:40 GMT

I'm not quite sure what your overall goal is, but here's how you can replace commands you've used in your comment to work for all codes in one go.

... | delta _time p=1 AS diff2 | ...

You search for one code because delta doesn't have a group-by option... however, you can just use streamstats:

... | streamstats window=1 current=f global=f last(_time) as previous by Code | eval diff2 = previous - _time | ...

That'll copy over the neighbouring timestamp for each value of Code, effectively computing a diff _time by Code.

... | accum ID2 | ...

Same thing here, use streamstats with a grouping field:

... | streamstats sum(ID2) as sum_ID2 by Code | ...

... | eventstats first(ID) as temp_id1 by ID2 | ...

This is easiest, just add Code to the grouping:

... | eventstats first(ID) as temp_id1 by ID2 Code | ...

Disclaimer: I'm just going by the search you posted, not the use case behind it. Some transformations may not work in 100% of all imaginable cases, so do test what I posted thoroughly.

Finally, if you need on-site German-speaking help... 😄

Re: Combining searches

TBo123 — Mon, 25 Aug 2014 10:18:46 GMT

Thank you very much. That's just the ticket for me. How can I contact you for German-speaking help? I can't send you a mail?!

Re: Combining searches

martin_mueller — Mon, 25 Aug 2014 16:34:13 GMT

You can, and did... about six times 😛

I won't be available for the next few weeks, you can talk to the sales people listed on my website though.