Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Collecting a list of fields with particular values

Runals
Motivator
‎04-14-2014 05:40 PM

I'm trying to pull the tags associated with my different eventtypes using the following query.

| rest /servicesNS/-/-/configs/conf-tags | dedup eai:appName title

The problem is there is no one field for tags. If there is a tag name it shows up as a field with values of either enabled or disabled. The question is how to pull out the fields and associate it with title field value in this event.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎04-14-2014 07:38 PM

There might be an easier way to do this but here is what I came up with. The key to this is specify the search head you are running the query from as you might have an app that has tags/eventtypes that aren't installed on your indexers (note the | search splunk_server= part). 

| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app

With that query in hand you can combine that with a REST search for eventtypes and the searches that make them up.

| rest /servicesNS/-/-/configs/conf-eventtypes | search splunk_server=splunk0 | rename eai:appName as app | table app title search | join max=0 app title [| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app] | table app title search tag status | rename title as eventtype | sort app eventtype | stats list(tag) as tags list(status) as status by app eventtype search

I like the readability the stats command gives at the end but you might want to take it off depending on how you use this.

View solution in original post

Reply
Solved! Jump to solution

dbroggy
Path Finder
‎05-08-2019 09:27 AM

I found that the above queries are chopping off many of the apps and eventtypes that are associated with the listed tags. Take a look at this shorter part of the query and compare for yourself - eg. the access tags lists eventtypes for several sourcetypes but the app column only lists one of those sourcetypes:

| rest /servicesNS/-/-/configs/conf-tags | rename eai:appName as app | foreach * [ eval <> = '<>'."##".title."##".app]| stats values() as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled OR "row 1"=disabled*| rex field="row 1" "^(?[^#]+)##(?

0 Karma
Reply
Solved! Jump to solution

dbroggy
Path Finder
‎05-08-2019 08:06 AM

yannK I'm not sure your query works, but maybe this is what you were thinking of:
| rest /servicesNS/-/-/configs/conf-tags| dedup eai:appName title| rename eai:appName AS AppTitle|search title="eventtype*"|rex field=title "eventtype=(?(.*))"|table AppTitle eventtype

0 Karma
Reply
Solved! Jump to solution

dbroggy
Path Finder
‎04-23-2019 02:32 PM

don't forget to replace splunk_server=splunk0 with splunk_server=*

0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎04-14-2014 07:38 PM

There might be an easier way to do this but here is what I came up with. The key to this is specify the search head you are running the query from as you might have an app that has tags/eventtypes that aren't installed on your indexers (note the | search splunk_server= part). 

| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app

With that query in hand you can combine that with a REST search for eventtypes and the searches that make them up.

| rest /servicesNS/-/-/configs/conf-eventtypes | search splunk_server=splunk0 | rename eai:appName as app | table app title search | join max=0 app title [| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app] | table app title search tag status | rename title as eventtype | sort app eventtype | stats list(tag) as tags list(status) as status by app eventtype search

I like the readability the stats command gives at the end but you might want to take it off depending on how you use this.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-14-2014 06:00 PM

Try that to extract the content of the "title" field then eventtype only

| rest /servicesNS/-/-/configs/conf-tags | dedup eai:appName title | search title="eventtype" | rex field=title "eventtype=(?.*)" | table title eventtype

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎04-14-2014 07:33 PM

Thanks for the query yannK. I don't think I explained what I was looking for very well. I was able to work out a solution that I will post below.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...