Archive
Highlighted

Comparing Chart Results to field

This is my first time posting to the community, I hope this answer is not listed somewhere else.. if it is I have been unable to find it.

I create my own dashboards for everything and I am more or less trying to tackle my first data correlation attempt but so far have come up short.

The Dashboard I have created uses dynamically generated filters the field I am focused on at the moment is very simple; its "host" and it looks like this:

(Filter1)
$timespan$ index=$nexusappdc$ nexussysloglevel=$nexusloglevel$ $keyword$ | chart count by host

(THIS WORKS)

What I want to do is use the results of this chart to run another search against other data. I will provide an example

Lets say the chart comes back with the following:
"10.0.0.1"
"10.0.0.2"
"10.0.0.3"

I only want my next search to contain hosts that are in that list.. here is what I have so far:

$timespan$ index=dcxxacs Address=$nexusapphost$ | top limit=50 _time, User, Address, CmdSet | fields - count - percent

I guess in my mind I see it something like the following if I were to write it out manually

$timespan$ index=dcxxacs Address=10.0.0.1 OR Address=10.0.0.2 OR Address=10.0.0.3| top limit=50 _time, User, Address, CmdSet | fields - count - percent

I hope at least some of this makes sense to some of you guys, any assistance is appreciated.

Tags (1)
0 Karma
Highlighted

Re: Comparing Chart Results to field

SplunkTrust
SplunkTrust

You just need to add your first search as subsearch filter in the second search. Since you're filtering based on a field name, the subsearch should return results with a field with same name (rename command added for that).

$time_span$ index=dcxx_acs [search $time_span$ index=$nexus_app_dc$ nexus_syslog_level=$nexus_loglevel$ $keyword$ | chart count by host | table host | rename host as Address ] | top limit=50 _time, User, Address, CmdSet | fields - count - percent
Highlighted

Re: Comparing Chart Results to field

Wow, that worked... perfectly... I just spent the last hour playing with the map command without any luck.. You're a wizard sir.. and I thank you.

0 Karma
Highlighted

Re: Comparing Chart Results to field

SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma