Solved: Re: How do I combine 5 searches into a single repo...

jip31 · ‎10-24-2018

hello,

In my dashboard, i use 5 different values from the search below:

index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information  
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur 
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode

Is it possible to combine these 5 search into a single report in order to be able to execute a single | loadjob command from my dashboard?

Thanks

Tedesco1 · ‎03-01-2019

I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.

Option 1:

| multisearch
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 2:

index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 3:

Set tokens for each search separately, then, in a separate search, do the following:

| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode

View solution in original post

Tedesco1 · ‎03-01-2019

I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.

Option 1:

| multisearch
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
  [search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
  [search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 2:

index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode

Option 3:

Set tokens for each search separately, then, in a separate search, do the following:

| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode

vishaltaneja070 · ‎10-24-2018

Hello @jip31

Not sure about using loadjob, I think it is not possible with loadjob.

I would suggest to use a macro which can help you out In the above case.

Thanks!

jip31 · ‎10-24-2018

sorry but i dont understand
i need to update events directly from my report and not from my dashboard
to my mind a macro is going to execute the search from the dashboard no?
and how is it possible to create a single macro for these 5 search??

How do I combine 5 searches into a single report to execute a loadjob command from my dashboard?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk