Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Dev
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Using data model inside subsearches
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using data model inside subsearches
adrab
New Member
05-25-2018
03:20 AM
Hello,
I'm working on analysis of data coming from some web scan app.
I have to compare the results from two scan executions. Inspired by this answer I've got this working:
| set diff [search index=webscan sourcetype=webscan message="Done exchange {exchange}" scanId=110cf971-c319-41dc-b58c-670f4c141cf1 execId=2018-05-24T20:59:18| stats count by eventProperties.exchange.PluginId, eventProperties.exchange.Url | table eventProperties.exchange.PluginId, eventProperties.exchange.Url] [search index=webscan sourcetype=webscan message="Done exchange {exchange}" scanId=110cf971-c319-41dc-b58c-670f4c141cf1 execId=2018-05-24T18:57:32 | stats count by eventProperties.exchange.PluginId, eventProperties.exchange.Url | table eventProperties.exchange.PluginId, eventProperties.exchange.Url]
The problem appears when I try to use a data model in subsearches - the following does not work (shows "No results found"):
| set diff [| datamodel WebScan Exchanges search | search scanId=110cf971-c319-41dc-b58c-670f4c141cf1 execId=2018-05-24T20:59:18| stats count by eventProperties.exchange.PluginId, eventProperties.exchange.Url | table eventProperties.exchange.PluginId, eventProperties.exchange.Url] [| datamodel WebScan Exchanges search | search scanId=110cf971-c319-41dc-b58c-670f4c141cf1 execId=2018-05-24T18:57:32 | stats count by eventProperties.exchange.PluginId, eventProperties.exchange.Url | table eventProperties.exchange.PluginId, eventProperties.exchange.Url]
in spite of the fact that subsearches run separatly works as expected.
What should be changed?
Ultimately, I would like to define a macro exchanges_of(2) like
datamodel WebScan Exchanges search | search scanId=$scanId$, execId=$execId$ | stats count by eventProperties.exchange.PluginId, eventProperties.exchange.Url | table eventProperties.exchange.PluginId, eventProperties.exchange.Url
and do this:
| set diff [|`exchanges_of(110cf971-c319-41dc-b58c-670f4c141cf1, 2018-05-24T20:59:18)`] [|`exchanges_of(110cf971-c319-41dc-b58c-670f4c141cf1,2018-05-24T18:57:32)`]
but this also returns "No results found."
And it would be great if I could do something like
| `exchanges_of(110cf971-c319-41dc-b58c-670f4c141cf1, 2018-05-24T20:59:18)` NOT [|`exchanges_of(110cf971-c319-41dc-b58c-670f4c141cf1,2018-05-24T18:57:32)`]
for "one side" diff. Is it possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adrab
New Member
05-25-2018
03:22 AM
Get Updates on the Splunk Community!
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
