Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I combine 5 searches into a single report to execute a loadjob command from my dashboard?

jip31
Motivator
‎10-24-2018 02:58 AM

hello,

In my dashboard, i use 5 different values from the search below:

index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information  
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur 
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

Is it possible to combine these 5 search into a single report in order to be able to execute a single | loadjob command from my dashboard?

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

Tedesco1
Path Finder
‎03-01-2019 01:29 PM

I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.

Option 1:

| multisearch
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 2:

index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 3:

Set tokens for each search separately, then, in a separate search, do the following:

| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode

View solution in original post

Reply
Solved! Jump to solution
Solution

Tedesco1
Path Finder
‎03-01-2019 01:29 PM

I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.

Option 1:

| multisearch
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 2:

index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 3:

Set tokens for each search separately, then, in a separate search, do the following:

| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎10-24-2018 05:59 AM

Hello @jip31

Not sure about using loadjob, I think it is not possible with loadjob.

I would suggest to use a macro which can help you out In the above case.

Thanks!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-24-2018 08:49 AM

sorry but i dont understand
i need to update events directly from my report and not from my dashboard
to my mind a macro is going to execute the search from the dashboard no?
and how is it possible to create a single macro for these 5 search??

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...