Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Collecting a list of fields with particular values

Runals
Motivator
‎04-14-2014 05:40 PM

I'm trying to pull the tags associated with my different eventtypes using the following query.

| rest /servicesNS/-/-/configs/conf-tags | dedup eai:appName title

The problem is there is no one field for tags. If there is a tag name it shows up as a field with values of either enabled or disabled. The question is how to pull out the fields and associate it with title field value in this event.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎04-14-2014 07:38 PM

There might be an easier way to do this but here is what I came up with. The key to this is specify the search head you are running the query from as you might have an app that has tags/eventtypes that aren't installed on your indexers (note the | search splunk_server= part). 

| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app

With that query in hand you can combine that with a REST search for eventtypes and the searches that make them up.

| rest /servicesNS/-/-/configs/conf-eventtypes | search splunk_server=splunk0 | rename eai:appName as app | table app title search | join max=0 app title [| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app] | table app title search tag status | rename title as eventtype | sort app eventtype | stats list(tag) as tags list(status) as status by app eventtype search

I like the readability the stats command gives at the end but you might want to take it off depending on how you use this.

View solution in original post

Reply
Solved! Jump to solution

dbroggy
Path Finder
‎05-08-2019 09:27 AM

I found that the above queries are chopping off many of the apps and eventtypes that are associated with the listed tags. Take a look at this shorter part of the query and compare for yourself - eg. the access tags lists eventtypes for several sourcetypes but the app column only lists one of those sourcetypes:

| rest /servicesNS/-/-/configs/conf-tags | rename eai:appName as app | foreach * [ eval <> = '<>'."##".title."##".app]| stats values() as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled OR "row 1"=disabled*| rex field="row 1" "^(?[^#]+)##(?

0 Karma
Reply
Solved! Jump to solution

dbroggy
Path Finder
‎05-08-2019 08:06 AM

yannK I'm not sure your query works, but maybe this is what you were thinking of:
| rest /servicesNS/-/-/configs/conf-tags| dedup eai:appName title| rename eai:appName AS AppTitle|search title="eventtype*"|rex field=title "eventtype=(?(.*))"|table AppTitle eventtype

0 Karma
Reply
Solved! Jump to solution

dbroggy
Path Finder
‎04-23-2019 02:32 PM

don't forget to replace splunk_server=splunk0 with splunk_server=*

0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎04-14-2014 07:38 PM

There might be an easier way to do this but here is what I came up with. The key to this is specify the search head you are running the query from as you might have an app that has tags/eventtypes that aren't installed on your indexers (note the | search splunk_server= part). 

| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app

With that query in hand you can combine that with a REST search for eventtypes and the searches that make them up.

| rest /servicesNS/-/-/configs/conf-eventtypes | search splunk_server=splunk0 | rename eai:appName as app | table app title search | join max=0 app title [| rest /servicesNS/-/-/configs/conf-tags | search splunk_server=splunk0  | rename eai:appName as app | foreach * [ eval <<FIELD>> = '<<FIELD>>'."##".title."##".app]| stats values(*) as *| transpose | makemv delim=" " "row 1" | mvexpand "row 1"| search "row 1"=enabled* OR "row 1"=disabled*| rex field="row 1" "^(?<status>[^\#]+)##(?<title>[^\#]+)##(?<app>[^\#]+)" | rex field=title ".+\=(?<title>.+)" | rename column as tag | table tag status title app] | table app title search tag status | rename title as eventtype | sort app eventtype | stats list(tag) as tags list(status) as status by app eventtype search

I like the readability the stats command gives at the end but you might want to take it off depending on how you use this.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-14-2014 06:00 PM

Try that to extract the content of the "title" field then eventtype only

| rest /servicesNS/-/-/configs/conf-tags | dedup eai:appName title | search title="eventtype" | rex field=title "eventtype=(?.*)" | table title eventtype

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎04-14-2014 07:33 PM

Thanks for the query yannK. I don't think I explained what I was looking for very well. I was able to work out a solution that I will post below.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top