Archive
Highlighted

Combining searches

Path Finder

Hello,

I want to combine some search results. I have one base search from there I need to do several searches, but at the end I need a single search result.

my base search | search code="1" ..do something

my base search | search code="2" ..do the same

my base search | search code="3" ..do also the same

There is always the same thing to do, but I need to separate the searches for calculating the time between events with the same code. Is it possible to do this in a single search, because there are 250 different codes. Something like: my base search | for every value of code do this At the end I need a table with all codes in it.

Thanks.

Tags (1)
0 Karma
Highlighted

Re: Combining searches

SplunkTrust
SplunkTrust

Do post what you're doing with each code.

0 Karma
Highlighted

Re: Combining searches

Legend

You really don't provide any details on what you're trying to achieve so it's hard to give really useful advice, but you could look into the map command which does something similar to what you're describing.

That said, it's highly likely you could find an even better solution that doesn't involve looping searches like this. If you described your exact problem, your data, your searches more chances are we can help you out with finding alternate solutions.

0 Karma
Highlighted

Re: Combining searches

Path Finder

In my base search I calculate the code and group events which occur within some milliseconds. They will get the same ID. The next step is to look after events that have the same code and got wrong IDs in the first step, because they occur within some seconds, they should also get the same ID. I implement such a search for one code in that way:

first step, my base search:

host=Host_MA  SEVERITY != FATAL  | eval Zusatz=case(match(_raw,"VOLTAGE"),"VOLT",                   match(_raw,"TEMPERATURE"),"TEMP", match(_raw,"CURRENT"),"CURR", match(_raw,"power module fault"),"POMF")               | eval Zusatz=if(Zusatz!="",Zusatz,"NULL") | eval Code=MSG_ID + ";" + Subcomponent + ";"  + SEVERITY + ";" + Zusatz| delta _time p=1 AS diff | eval diff=round(-diff,3) | streamstats current=f window=1 first(Code) as prevcode | eval ID=case(isnull(diff),1,diff>0.003,1,1=1,0) | accum ID |

second step, several search with one code:

search Code="KERN_2205;bg_subcomp_linux;WARN;NULL" | delta _time p=1 AS diff2 | eval diff2=round(-diff2,3) | eval ID2=case(isnull(diff2),1,diff2>1.0,1,1=1,0) | accum ID2 | eventstats first(ID) as temp_id1 by ID2 | fields - ID, ID2, diff2| rename temp_id1 as ID

After that search I only get events with Code="KERN2205;bgsubcomp_linux;WARN;NULL" but I look for a way to add the results of the next search with code="..." but there are over 250 different codes, perhaps there is an easier way?

0 Karma
Highlighted

Re: Combining searches

Path Finder

I tried map but I got no results?! map search="search mycode=$code$ and the rest of my search"

0 Karma
Highlighted

Re: Combining searches

Path Finder

that is what I have to do with every code: search Code="KERN2205;bgsubcomplinux;WARN;NULL" | delta _time p=1 AS diff2 | eval diff2=round(-diff2,3) | eval ID2=case(isnull(diff2),1,diff2>1.0,1,1=1,0) | accum ID2 | eventstats first(ID) as tempid1 by ID2 | fields - ID, ID2, diff2| rename temp_id1 as ID

0 Karma
Highlighted

Re: Combining searches

SplunkTrust
SplunkTrust

I'm not quite sure what your overall goal is, but here's how you can replace commands you've used in your comment to work for all codes in one go.


... | delta _time p=1 AS diff2 | ...

You search for one code because delta doesn't have a group-by option... however, you can just use streamstats:

... | streamstats window=1 current=f global=f last(_time) as previous by Code | eval diff2 = previous - _time | ...

That'll copy over the neighbouring timestamp for each value of Code, effectively computing a diff _time by Code.


... | accum ID2 | ...

Same thing here, use streamstats with a grouping field:

... | streamstats sum(ID2) as sum_ID2 by Code | ...

... | eventstats first(ID) as temp_id1 by ID2 | ...

This is easiest, just add Code to the grouping:

... | eventstats first(ID) as temp_id1 by ID2 Code | ...

Disclaimer: I'm just going by the search you posted, not the use case behind it. Some transformations may not work in 100% of all imaginable cases, so do test what I posted thoroughly.

Finally, if you need on-site German-speaking help... 😄

View solution in original post

Highlighted

Re: Combining searches

Path Finder

Thank you very much. That's just the ticket for me. How can I contact you for German-speaking help? I can't send you a mail?!

0 Karma
Highlighted

Re: Combining searches

SplunkTrust
SplunkTrust

You can, and did... about six times 😛

I won't be available for the next few weeks, you can talk to the sales people listed on my website though.

0 Karma