topic Re: How to do multiple searches at once? in Splunk Search

How to do multiple searches at once?

BITSIntern — Tue, 14 Jul 2015 18:26:12 GMT

Hi guys,

I need to have multiple searches running that pull up a word from the same field and replace it with another (doing this:** | eval word = if (word="racist","race",word) | stats count by word** ). My problem is I want to do this multiple times with different words but when I tried append, appendcols, join, or saving the searches, they never work out quite right. The closest I have gotten is this in my search bar:
sourcetype="socialist action" "government" OR "govern" | eval word = if (word="govern","government",word) | stats count by word | appendcols[search sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = if (word="racist","race",word) | stats count by word]

But it still leaves another government:
word count
government 1094
government 16
race 405

Do any of you have a suggestion on how to fix this? Please let me know!

Re: How to do multiple searches at once?

woodcock — Tue, 14 Jul 2015 18:40:58 GMT

You should do this with a lookup table that looks like this:

synonym,word
race,racist
racist,racist
govern,government
government,government

Then you call it anywhere at any time like this:

... | lookup mylookuptablename synonym AS word OUTPUTNEW word AS word | ...

Re: How to do multiple searches at once?

sk314 — Tue, 14 Jul 2015 18:44:20 GMT

Try this:

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government") | stats count by word

EDIT: assuming you have a field named "word" already extracted/populated

Re: How to do multiple searches at once?

BITSIntern — Tue, 14 Jul 2015 18:46:02 GMT

wait where do I put the lookup table? Do I create a transforms.conf file and upload it to splunk?

Re: How to do multiple searches at once?

BITSIntern — Tue, 14 Jul 2015 18:50:31 GMT

hmm its weird, it worked but it forgot a few of the events...
so it gave me 1078 for government instead of 1094 and 314 for race instead of 405

Re: How to do multiple searches at once?

sk314 — Tue, 14 Jul 2015 18:52:17 GMT

how did you validate those numbers?

Re: How to do multiple searches at once?

BITSIntern — Tue, 14 Jul 2015 18:56:49 GMT

well I know that the count of the word govern plus the count of the word government equals 1094 (1078 + 16 = 1094) and the count of the word racist plus the count of the word race equals 405 (314 + 91 = 405)... I guess it just is not adding the actual word's count to the renamed word

Re: How to do multiple searches at once?

BITSIntern — Tue, 14 Jul 2015 18:59:00 GMT

the count of govern is 1078 and government is 16 so it should be 1094 together and the count of racist is 314 and race is 91 so it should be 405 together... I guess it did not include the amount of the originial word in the count

Re: How to do multiple searches at once?

sk314 — Tue, 14 Jul 2015 19:02:14 GMT

ahh, just add those cases in the case statement like so

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government", word =="government", "government", word=="race", "race") | stats count by word

Re: How to do multiple searches at once?

BITSIntern — Tue, 14 Jul 2015 19:05:00 GMT

THANK YOU!

Re: How to do multiple searches at once?

woodcock — Fri, 17 Jul 2015 05:34:45 GMT

Do you like working from the GUI or CLI? It is pretty easy, just create the file on your desktop and upload it from Settings -> Lookups -> Lookup table files -> New. Then create a reference to it from Settings -> Lookups -> Lookup definitions -> New. Probably you should expand the permissions on both. Then you can use it just like my answer shows.