- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Use the same search for mutiple fields and eve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the same search for mutiple fields and events?
In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse
Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234
Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try something like this
index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ]
| eval counter1 = if(appId=="New1",1,0)
| eval counter2 = if(appId=="New1",0,1)
| stats sum(counter1) as counter1 sum(counter2) as counter2 by ActNo
A few tips:
A search like this ns=app1 Service=trigger1 Id!="temp-100" | Search ErrorResponse should always be rewritten as
ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse. Combine as much as possible into a single search.
Splunk uses double-quotes for strings, but even that is not required in the search command if the string has no spaces or special characters.
The search within brackets is called a subsearch. The list of ActNo's from the subsearch will be inserted into the outer search.
Here is more information about subsearches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AppId in the events is displayed with single quotes as appId='New1'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
appId in the event is displayed as appId=='New1'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it is displayed in event with single quotes as appId='New1'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh, nice answer by @Daleanis as well. I could re-write my search as:
index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ]
| stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!="New1")) as counter2 by ActNo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=l2_idx ns=app1 Service='trigger1' Id!='temp-100 ErrorResponse | fields ActNo | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!=="New1")) as counter2 by ActNo
Getting error as:
Error in 'stats' command: The eval expression for dynamic field 'eval(appId!=="New1")' is invalid. Error='The expression is malformed. An unexpected character is reached at '="New1"'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
appId in the event is displayed as appId=='New1'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I've read you right, it would be something like this...
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105
[ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo]
| stats count(eval(appId="New1")) as counter count as bothcounters by ActNo
| eval counter2 = bothcounters-counter1
This part ...
[ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo]
...returns a list of ActNo values in this format...
( ( ActNo="firstvalue" ) OR ( ActNo="secondvalue" ) OR ... OR ( ActNo="lastvalue" ) )
then this part
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ( ( Actno=... )
... brings back the records, and this part counts them up ...
| stats count(eval(appId="New1")) as counter count as bothcounters by ActNo
| eval counter2 = bothcounters-counter1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I have eval and stats count after ActNo as
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo | eval | stats count as "Count1"]
Also I want to check if there are records with that ActNo in the outer search or not. If not, I want to write that ActNo.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
I get the account no and two counters as counter and bothcounters. But for every account no, it is only bothcounters having value as 1 while counter is always 0 which is not the case with respect to events as they got the some of the AcctNo has the appId as New1 and other's don't.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
