Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Saved search table value as array for multi-valued search to a new table

jsleona
New Member
‎08-27-2017 08:17 AM

Hello I am doing a search that results in a table with these values... "| table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host"

The issue is that I need to know durations which is not captured in the events. But I can do... "index=abc sourcetype=xyz message.connID | stats range(_time) as difference". Which provides an individual view of the events with this one unique ID and provides overall event duration.

I am trying to find a way to use the initial table as array values, run multiple searches like the one above, to produce a new table where each row has all the table columns and a new column for "duration" based one each unique message.connID.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎08-27-2017 10:32 PM

@jsleona - If you had given us the entire original search, then we could provide a complete solution. I have provided a solution below that uses your given table to get the rest, but it would be much more efficient to get it all in a single pass at the data.

For instance, here's a way to get all the differences, by themselves, at the same time...

index=abc sourcetype=xyz   [your search that gets all that stuff | table message.connID]
| stats range(_time) as difference by message.connID

...and here's a way to get it after your existing search and attach it to your existing search...

 your search that gets all this stuff
 | table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host
 | appendpipe 
     [| table message.connID 
      | format 
      | rename search as mysearch 
      | map search="search index=abc sourcetype=xyz $mysearch$ 
      | stats range(_time) as difference by message.connID 
      ]
 | eventstats max(difference) as difference by message.connID

... however, while that method will almost certainly work, it is also almost certainly not the most efficient way.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...