topic Re: Search output replicating fields for other fields in Splunk Search

How to create Search output replicating fields for other fields?

Cranie — Mon, 11 Sep 2023 16:29:18 GMT

Hi,

I am trying to run a search and have tokens setting various search items, what I need is to create a search from an input file and have one field referenced many times for different fields.

My search is:

| inputlookup errorLogs | where RunStartTimeStamp == "2023-01-26-15.47.24.000000" | where HostName == "myhost.com" | where JobName == "runJob1" | where InvocationId == "daily" | fields RunID, ControllingRunID | uniq | format "(" "(" "OR" ")" "||" ")"

This gives:

( ( ControllingRunID="12345" OR RunID="67890" ) )

What I would like is:

( ( ControllingRunID="12345" OR RunID="67890" OR RunID="12345" OR ControllingRunID="67890") )

There could be many id pairs of run/controlling ID's and I want to search on any combination if possible.

Re: Search output replicating fields for other fields

yuanliu — Fri, 08 Sep 2023 21:48:39 GMT

Instead of muscling SPL to give you lots of "OR" expressions (which also slows down performance), it is much more profitable to change your search that will use this token to match distinct values.

First, change $my_token$ definition from a logical expression to simple enumeration.

This gives RunID = ("12345", "67890"). Use this value as $my_token$.

Then, in your search, do the same.

<search setups> (RunID IN ($my_token$) OR ControllingRunID IN ($my_token$))

Re: Search output replicating fields for other fields

gcusello — Sat, 09 Sep 2023 05:48:22 GMT

Hi @Cranie,

if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could simplify your token search:

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") | eval RunID = coalesce(RunID, ControllingRunID) | stats values(RunID) as RunID

If instead you could have in the same event both the two fields, you should use a more structured search:

in the token:

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") | rename RunID AS token | fields token | append [ | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") | rename ControllingRunID AS token | fields token ] | dedup token | fields token

and in the search:

<your_search> (ControllingRunID="$token$" OR RunID="$token$")

Ciao.

Giuseppe

Re: Search output replicating fields for other fields

Cranie — Mon, 11 Sep 2023 09:22:47 GMT

I could not get the solution that @yuanliu gave (in the way I needed).

I have managed to get this to work, many many thanks.

Re: Search output replicating fields for other fields

gcusello — Mon, 11 Sep 2023 09:37:33 GMT

Hi @Cranie ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: Search output replicating fields for other fields

Cranie — Mon, 11 Sep 2023 10:45:04 GMT

Noted - done thanks for the head up. 👍