Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Saved search table value as array for multi-valued search to a new table

jsleona
New Member
‎08-27-2017 08:17 AM

Hello I am doing a search that results in a table with these values... "| table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host"

The issue is that I need to know durations which is not captured in the events. But I can do... "index=abc sourcetype=xyz message.connID | stats range(_time) as difference". Which provides an individual view of the events with this one unique ID and provides overall event duration.

I am trying to find a way to use the initial table as array values, run multiple searches like the one above, to produce a new table where each row has all the table columns and a new column for "duration" based one each unique message.connID.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎08-27-2017 10:32 PM

@jsleona - If you had given us the entire original search, then we could provide a complete solution. I have provided a solution below that uses your given table to get the rest, but it would be much more efficient to get it all in a single pass at the data.

For instance, here's a way to get all the differences, by themselves, at the same time...

index=abc sourcetype=xyz   [your search that gets all that stuff | table message.connID]
| stats range(_time) as difference by message.connID

...and here's a way to get it after your existing search and attach it to your existing search...

 your search that gets all this stuff
 | table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host
 | appendpipe 
     [| table message.connID 
      | format 
      | rename search as mysearch 
      | map search="search index=abc sourcetype=xyz $mysearch$ 
      | stats range(_time) as difference by message.connID 
      ]
 | eventstats max(difference) as difference by message.connID

... however, while that method will almost certainly work, it is also almost certainly not the most efficient way.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...