Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a for loop on eval command for number of hosts

ssaenger
Communicator
‎05-21-2020 04:19 AM

Hi,

i have a query that returns two lines of results based on two hosts.
i then get a result from another query that only returns one line.
When i do the eval command i get a correct 'Match' for the first line but no entry for the second.

How do i apply the 'appendcol' result to both lines?

index =systems sourcetype = stream_stack PID=0x0055 
|  eval Packets=packets*208 
 | stats  latest(Packets) AS Packets by host 
|  appendcols 
    [ search index=systems sourcetype=soms_file_size process=soms  | stats  latest(file_size) AS file_size latest(file_name) AS file_name by process ]
     | eval match=if(Packets=file_size,"OK","Error")
     | table process match Packets file_size file_name host

RESULT

process  match            file_size file_name                                                   host
soms       OK                     27666832  DR_270919_P_5068_719_750_750.out                             chietrp01
           Error                                                                               chietrp02

thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2020 05:46 AM

That's the way appendcols works. The results from search 2 are added to the results from search 1 on a one-to-one basis. If there are fewer results in search 2 then some results from search 1 will not have the added columns. Also, note that the order in which the results are returned from each search should be the same so the one-to-one pairing of results makes sense.

If you need the results from search 2 to be replicated to all results of search 1 then perhaps filldown will do.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ssaenger
Communicator
‎05-24-2020 01:43 AM

Thank you richgalloway this worked.

For those seeking solution, here is the code for filldown, nice and easy - 

 index =systems sourcetype = stream_stack PID=0x0055 
 |  eval Packets=packets*208 
  | stats  latest(Packets) AS Packets by host 
 |  appendcols 
     [ search index=systems sourcetype=soms_file_size process=soms  | stats  latest(file_size) AS file_size latest(file_name) AS file_name by process ]
      | filldown process, file_size, file_name
      | eval match=if(Packets=file_size,"OK","Error")
      | table process match Packets file_size file_name host
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2020 05:46 AM

That's the way appendcols works. The results from search 2 are added to the results from search 1 on a one-to-one basis. If there are fewer results in search 2 then some results from search 1 will not have the added columns. Also, note that the order in which the results are returned from each search should be the same so the one-to-one pairing of results makes sense.

If you need the results from search 2 to be replicated to all results of search 1 then perhaps filldown will do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...