Reporting

How do I combine 5 searches into a single report to execute a loadjob command from my dashboard?

Contributor

hello,

In my dashboard, i use 5 different values from the search below:

index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information  
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur 
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

Is it possible to combine these 5 search into a single report in order to be able to execute a single | loadjob command from my dashboard?

Thanks

0 Karma
1 Solution

Path Finder

I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.

Option 1:

| multisearch
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 2:

index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 3:

Set tokens for each search separately, then, in a separate search, do the following:

| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode

View solution in original post

0 Karma

Path Finder

I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.

Option 1:

| multisearch
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 2:

index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 3:

Set tokens for each search separately, then, in a separate search, do the following:

| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode

View solution in original post

0 Karma

Motivator

Hello @jip31

Not sure about using loadjob, I think it is not possible with loadjob.

I would suggest to use a macro which can help you out In the above case.

Thanks!

0 Karma

Contributor

sorry but i dont understand
i need to update events directly from my report and not from my dashboard
to my mind a macro is going to execute the search from the dashboard no?
and how is it possible to create a single macro for these 5 search??

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!