https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290829#M87896 <P>What is your intention with these parts of the query:<BR /> <CODE>| search [ | makeresults | eval host= apacheweb123 | table host | makemv host delim=" " | mvexpand host | eval host="".host."" | format ]</CODE> <BR /> and<BR /> <CODE>| append [ | makeresults | eval host=apacheweb123 | table host | makemv host delim=" " | mvexpand host ]</CODE>??</P> <P>The subsearch in the first section returns: <CODE>NOT()</CODE> for me, and the subsearch in the second section returns no results. I tried to guess what your intentions might be, but I can't really make sense out of the <CODE>|table...|makemv...|mvexpand</CODE> thread, given that you are applying them to a single event to which it looks like you are just intending to assign a string value. </P> <P>Additionally, <CODE>| makeresults | eval host=apacheweb123</CODE> will not do anything useful, because Splunk treats the <CODE>apacheweb123</CODE> portion as a variable name reference, rather than a string unless you wrap it in double-quotes: <CODE>| makeresults | eval host="apacheweb123"</CODE>. </P> <P>Can you explain more about what you're trying to do with all the subsearches?</P> Mon, 08 Jan 2018 21:48:38 GMT elliotproebstel 2018-01-08T21:48:38Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290828#M87895 <P>Hi,</P> <P>Below is the query i am using to get the hostname , IP addresses and last reported to splunk . </P> <P>| metadata type=hosts index=apache_web splunk_server_group=abc | search [ | makeresults | eval host= apacheweb123 | table host | makemv host delim=" " | mvexpand host | eval host="<EM>".host."</EM>" | format ] | table host | append [ | makeresults | eval host=apacheweb123 | table host | makemv host delim=" " | mvexpand host ] | join [ search index=_internal hostname=* | stats count by hostname sourceIp | table hostname sourceIp | rename hostname as host ]</P> <P>But the above search is not working when the server group is mentioned but i need server groups to make search faster over a large data . Any help to get the hostname , IP address , Last reported by including splunk_server_group would be appreciated.</P> Tue, 29 Sep 2020 17:30:52 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290828#M87895 kteng2024 2020-09-29T17:30:52Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290829#M87896 <P>What is your intention with these parts of the query:<BR /> <CODE>| search [ | makeresults | eval host= apacheweb123 | table host | makemv host delim=" " | mvexpand host | eval host="".host."" | format ]</CODE> <BR /> and<BR /> <CODE>| append [ | makeresults | eval host=apacheweb123 | table host | makemv host delim=" " | mvexpand host ]</CODE>??</P> <P>The subsearch in the first section returns: <CODE>NOT()</CODE> for me, and the subsearch in the second section returns no results. I tried to guess what your intentions might be, but I can't really make sense out of the <CODE>|table...|makemv...|mvexpand</CODE> thread, given that you are applying them to a single event to which it looks like you are just intending to assign a string value. </P> <P>Additionally, <CODE>| makeresults | eval host=apacheweb123</CODE> will not do anything useful, because Splunk treats the <CODE>apacheweb123</CODE> portion as a variable name reference, rather than a string unless you wrap it in double-quotes: <CODE>| makeresults | eval host="apacheweb123"</CODE>. </P> <P>Can you explain more about what you're trying to do with all the subsearches?</P> Mon, 08 Jan 2018 21:48:38 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290829#M87896 elliotproebstel 2018-01-08T21:48:38Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290830#M87897 <P>trying to display the metadata of the host enter by the user .</P> Mon, 08 Jan 2018 22:22:15 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-query-that-works-with-splunk-server-groups/m-p/290830#M87897 kteng2024 2018-01-08T22:22:15Z