Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to create this search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to create a search (or an embedded search that feeds data to another search. What I'm trying to get is a search like |tstats values(host) where index=* by index which might feed to a spread sheet that has server and host and then another search on top of it to match up host with index. (NOT indexers)
| |tstats values(host) where index=* by index |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, used part of this with a search, but had to get some assistance. The final search looked a little like this--did not use two searches, just one:
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=lower(if(isnull(hostname), sourceHost,hostname))
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| join sourceHost
[|tstats values(host) where index=* NOT index=*** NOT index=***| rename values(host) as host
| mvexpand host
| dedup host index
| eval sourceHost= lower(host)
| fields - host]
| dedup sourceHost connectType version
| table sourceHost connectType version
| sort index
Hopes this helps anyone else who needs to combine information from two searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, so are you looking to output a table of host and index to show what hosts are in each index? If so, try this: |tstats count where index=* by host index|fields - count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, used part of this with a search, but had to get some assistance. The final search looked a little like this--did not use two searches, just one:
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=lower(if(isnull(hostname), sourceHost,hostname))
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| join sourceHost
[|tstats values(host) where index=* NOT index=*** NOT index=***| rename values(host) as host
| mvexpand host
| dedup host index
| eval sourceHost= lower(host)
| fields - host]
| dedup sourceHost connectType version
| table sourceHost connectType version
| sort index
Hopes this helps anyone else who needs to combine information from two searches.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
