topic Re: Customised search in Splunk Search

Customised search

Santosh2 — Tue, 13 Feb 2024 01:44:30 GMT

Query:

From the above query i am getting data only for one site. but I want data for both sites SOC and BDC.
I tried giving as site=* its not working

Any help would be appreciated.

Re: Customised search

ITWhisperer — Tue, 13 Feb 2024 09:43:53 GMT

Your first search filters on SOC, your second search (first in appendcols) filters on SOC, your third search (first in join) filters on SOC - where would BDC come from?

Either remove the filter to get all sites or use (site=SOC OR site=BDC) as your filters

Re: Customised search

Santosh2 — Tue, 13 Feb 2024 13:35:46 GMT

Hi @ITWhisperer , I tried giving as site=* it’s not working l am getting total value but I need values by site.

Re: Customised search

ITWhisperer — Tue, 13 Feb 2024 14:00:15 GMT

Try adding site to your by clauses on your stats commands

Re: Customised search

Santosh2 — Tue, 13 Feb 2024 15:20:37 GMT

I tried in many ways but I am not getting expected output

Re: Customised search

ITWhisperer — Tue, 13 Feb 2024 16:26:58 GMT

Exactly what have you tried?

Re: Customised search

Santosh2 — Tue, 13 Feb 2024 21:37:52 GMT

Tried below query, but not getting values by site

Re: Customised search

ITWhisperer — Wed, 14 Feb 2024 08:41:35 GMT

Missing site from this line

|stats sum(count) as Success site

Re: Customised search

Santosh2 — Sat, 17 Feb 2024 18:17:28 GMT

Hi @ITWhisperer , i tried adding the missing line, but i am not getting the results by site.

I think we need to do some changes in the query but i am not getting it.
Can anyone help on this.

Re: Customised search

ITWhisperer — Sat, 17 Feb 2024 19:50:46 GMT

Sorry - typo on my part - you need it like this

|stats sum(count) as Success by site

You also need site on some of the other stats commands too

Re: Customised search

PickleRick — Sat, 17 Feb 2024 21:48:46 GMT

The whole search is... strange to say the least.

You generate a single value (and do that in a strange way - by aggregating by a field and the ignoring the split by that field and summing up everything). Then you use appendcols to add another value which is obtained by joining two data sets from the same index.

Very strange and possibly inefficient way.

Even if you split your data by site, there is no guarantee that both result sets joined by appendcols will have the same order of results (and appendcols doesn't care about any field matching or something like that so it's up to you to make sure both result sets are compatible).

Anyway, I suspect there might be a more elegant (and possibly more efficient) way to do the same.

Also remember that your search might be subject to subsearch limitations.