topic Re: Lookup against Splunk Search in Splunk Search

Lookup against Splunk Search

rizzo75 — Tue, 04 Nov 2014 16:41:47 GMT

I need to run a search, then run another search to calculate a specific value. Almost like a lookup with splunk commands.

search ... | fields id count

for each event run: search ... id=$id$ | eval count=$count$ | ... calculations ... | stats sum(n) as N

The output would have all values:

id    | count | N
------------------------
111 | 222     | 333

What is the best way to achieve this?

Thanks,

Joe

Re: Lookup against Splunk Search

vasanthmss — Tue, 04 Nov 2014 17:04:49 GMT

provide some sample events and expected result
If possible provide the search query you are running.

Re: Lookup against Splunk Search

musskopf — Tue, 04 Nov 2014 21:35:30 GMT

Have a look on the map command... Provide some additional event data and expected results as vasanthmss mentioned to help writing the search.

Re: Lookup against Splunk Search

martin_mueller — Tue, 04 Nov 2014 22:57:46 GMT

Using your example, you could do this:

... | map maxsearches=42 [search ... id=$id$ | eval count = $count$ | ... calculations ... | stats sum(n) as N]

That'll give you up to 42 rows with a column N containing the sum. Depending on your calculations, it might be a lot faster to do something like this:

... | ... calculations, possibly involving some "by id" ... | stats sum(n) as N by id

Re: Lookup against Splunk Search

rizzo75 — Wed, 05 Nov 2014 17:20:44 GMT

I was able to achieve the necessary results using the map command, then joining back on the initial search.

earliest="-24h@h" latest="now" index=foo sourcetype=mysrc state=7 type!=9
| join type=outer usetime=True id [ search 
  index=foo sourcetype=mysrc state=7 type!=9
  | map maxsearches=500 search=" search
    index=bar sourcetype=othersrc … id = $id$
    | eval count=$count$
    | evals and such …
    | eval number=somenumber*othernumber
    | stats sum(number) as sum_number values(id) as id" ]