Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Adapt search filter to a query

null0
New Member
‎05-15-2018 07:14 AM

Hello,
i need to insert IP addresses here
alt text

coded as follow:

    <input type="text" token="host" searchWhenChanged="false">
      <default>*</default>
    </input>

to be applied to:

| pivot Cisco_IOS_Event Device last(hostname) AS "Hostname" last(site_id) AS "Site ID" last(model) AS "Model" last(serial_number) AS "Serial number" count(Device) AS "Count of events" SPLITROW host AS host

and many others panels. I should need to understand where to insert in panel's queries the referens to search-box posted above.

E.g.:
in this query, search-box works fine and it outputs me only IPs int 10..29.10.x subnet:

| pivot Cisco_IOS_Event Cisco_IOS_Event count(Cisco_IOS_Event) AS "Count of Cisco IOS Event" SPLITROW host AS host SPLITCOL severity_id_and_name FILTER host is "$host$" SORT 500 host ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | sort -"0 - emergency", -"1 - alert", -"2 - critical", -"3 - error", -"4 - warning", -"5 - notification", -"6 - informational", -"7 - debugging" | table host "0 - emergency" "1 - alert" "2 - critical" "3 - error" "4 - warning" "5 - notification" "6 - informational" "7 - debugging"

Hope to have explaned clearly.

thanks

UPDATE
i'm going to this about this filter could be applied only to PIVOT queries..

because working a little bit more on the previous posted PIVOT query i had successful results.

But e.g. on the following NON-PIVOT query i'm still have issues:

eventtype=cisco_ios-duplex_mismatch | dedup dvc,cdp_local_interface | table _time,dvc,cdp_local_interface,cdp_neighbor,dest_interface,message_text | rename cdp_local_interface AS "Local Int.",cdp_neighbor AS "CDP Neighbor",dest_interface AS "Remote Int.",message_text AS "Message" | sort dvc
Preview file
2 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-15-2018 09:51 AM

@null0, what is the definition of your eventtype eventtype=cisco_ios-duplex_mismatch? What is the host fieldname for cisco_ios-duplex_mismatch ? Is it host?

have you tried a filter like the following in your base search with eventtype (where host field name in your raw data is host)?

  eventtype=cisco_ios-duplex_mismatch  host="$host$"
 | dedup dvc,cdp_local_interface 
 | table _time,dvc,cdp_local_interface,cdp_neighbor,dest_interface,message_text 
 | rename cdp_local_interface AS "Local Int.",cdp_neighbor AS "CDP Neighbor",dest_interface AS "Remote Int.",message_text AS "Message" 
 | sort dvc
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-15-2018 09:51 AM

@null0, what is the definition of your eventtype eventtype=cisco_ios-duplex_mismatch? What is the host fieldname for cisco_ios-duplex_mismatch ? Is it host?

have you tried a filter like the following in your base search with eventtype (where host field name in your raw data is host)?

  eventtype=cisco_ios-duplex_mismatch  host="$host$"
 | dedup dvc,cdp_local_interface 
 | table _time,dvc,cdp_local_interface,cdp_neighbor,dest_interface,message_text 
 | rename cdp_local_interface AS "Local Int.",cdp_neighbor AS "CDP Neighbor",dest_interface AS "Remote Int.",message_text AS "Message" 
 | sort dvc
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

null0
New Member
‎05-15-2018 10:28 AM

well it seems working fine adding host="$host$" to NON_PIVOT query you posted. I'll try soon to adapt all others queries and will send you a feedback.

thanks a lot

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-15-2018 10:37 AM

Sure, check and revert back. If your issue gets resolved, don't forget to accept the answer 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...