topic Combining these multiple queries into one in Splunk Search

Combining these multiple queries into one

vhwang — Mon, 19 Mar 2012 18:51:23 GMT

I have a list of channels that I want to query, and for each one, I'd like to retrieve the latest value. For example

chan_name=B-1111 | head 1 | table _time, dn
chan_name=B-1112 | head 1 | table _time, dn
chan_name=B-1113 | head 1 | table _time, dn
chan_name=B-1114 | head 1 | table _time, dn

What's the best way to combine this query so that it shows up neatly in a table (and ultimately JSON object)?

Re: Combining these multiple queries into one

Ayn — Mon, 19 Mar 2012 18:57:30 GMT

You could use stats:

chan_name=* | stats first(dn),first(_time) by chan_name

Or dedup:

chan_name=* | dedup chan_name | table _time,dn

Re: Combining these multiple queries into one

vhwang — Mon, 19 Mar 2012 19:01:04 GMT

I don't want to do all the chan_names, just an inputted list. Is there a way to do something like

chan_name=['B-1111, B-1112']

Re: Combining these multiple queries into one

Ayn — Mon, 28 Sep 2020 11:32:37 GMT

chan_name=B-1111 OR chan_name=B-1112 OR. ..

Re: Combining these multiple queries into one

williamche — Mon, 19 Mar 2012 19:50:13 GMT

To add to Ayn's answers:

You can create a new eventtype using the following query:

chan_name=B-1111 OR chan_name=B-1112 OR chan_name=B-1113 OR chan_name=B-1113

Then pipe the results of this new eventtype to dedup or stats. So the new query would look something like:

eventtype=channel_names | dedup chan_name | table _time,dn

Should you need to modify the list of channel names to include in the query, you can do it at the eventtype level.