Splunk: Return One or True from a search, use that result in another search

Bleepie — Mon, 25 Oct 2021 10:10:51 GMT

Dear Splunk community,

In Splunk, I am looking for logs that say "started with profile: [profile name]" and retrieve the profile name from found events. Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform.

To make things more clear I have the following search query (query one):

index="myIndex" "started with profile" BD_L* | table _raw, platform, RUNID | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform | rename count AS "Amount"

The events found from above query contains the following (raw) :

Discovery run, 2021101306351355 started with profile BD_L2_Windows

The above query will return a list of events containing the raw data above and will result in the following table. This is a table with the amount of Discovery runs per platform:

Using the following piece of code I can extract RUNID from the events. RUNID is what I need to use in a second search when looking for errors:

| rex "Discovery run, (?.+) started with profile"

Using RUNID I can look for errors (query two):

index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* | dedup _raw | stats count | rename count AS "Amount"

Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. So lets say we have the following simulation:

- Two runs (one Windows and one Linux)
- Windows run has 0 errors (none found in query 2)
- Linux has 6 errors (found in query 2)

This should result in the following results:

Platform | Amount Linux | 1

I need to find some way to return true or one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. I have not yet found anything similair to my question and hope anyone here can help me out. Thanks in advance.

Re: Splunk: Return One or True from a search, use that result in another search

PickleRick — Mon, 25 Oct 2021 10:22:20 GMT

You could do some fancy joins or - god forbid - maps but I'd just do one search, then append results from the other one (making sure that column names overlap where needed - especially extracting RUNID from source) and then do some stats by RUNID.

That's the general idea.

topic Re: Splunk: Return One or True from a search, use that result in another search in Splunk Search

Splunk: Return One or True from a search, use that result in another search

Re: Splunk: Return One or True from a search, use that result in another search