Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with my query within a query?

mansinchu
New Member
‎10-26-2018 09:06 AM

Hi,

I am trying to see if this type of query is possible

I am creating an alert base on 2 conditions.

The first condition must be met and then check the second condition

First Condition: tid result be unique and more than 4 results return
Second Condition: host must be unique and must be more than 1 hosts

Query:

("ERROR")|dedup tid|eval hostname=substr(host,1,5)

It will return something like this

Original host name is

londn1
londn2
eurpn1
eurpn2

The eval will give me

londn and eurpn

I am able to get the first condition working. Once I get the first condition met, I will need to check the result to make sure it comes from more than 1 host (without the 1 and 2 in the hostname).

How should I go about this?

Tags (1)
0 Karma
Reply

mansinchu
New Member
‎10-29-2018 06:50 AM

Thank you.

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎10-26-2018 03:19 PM

You don't need to overcomplicate your query. you are just pulling additional information out of what you have already done, not doing another query.

your search
| stats values(host) as host by tid
| where mvcount(host)>3
| mvexpand host
| eval shost=substr(host,1,5)
| stats values(host) as host values(shost) as shost by tid
| where mvcount(shost) > 1

Of course, once you review that code, you really don't need to put it together, pull it all apart and put it back together again.

Just do it this way... 

your search
| eval shost=substr(host,1,5)
| stats values(host) as host values(shost) as shost by tid
| where mvcount(shost) > 1 AND mvcount(host)>3
0 Karma
Reply

mlevsh
Builder
‎10-26-2018 08:07 PM

@DalJeanis

Can we use mvcount to get result requested in the question?
Let's say we have multi-valued field like cve

cve
CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892;CVE-2011-1893
CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892
CVE-2011-0653;CVE-2011-1252;CVE-2011-1890

Then we can apply
...|eval cvecount=mvcount(split(cve,";))

That will give us result 

cvecount cve
6               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892;CVE-2011-1893
5               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892
3               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890

@mansinchu , I believe, wants to accomplish the following :

Alert needs to be triggered when number of unique tid values is more than 4 with numbers of unique host values more than one

For example:
These results should trigger the alert : 5 unique tid with 2 unique hosts (londn and eurpn)

host        tid
londn       123
londn        456
eurpn        786
eurpn        910
eurpn        135

These results should not trigger the alert: 4 unique tid values but with just one unique host londh

host        tid
londn       123
londn        456
londn       786
londn        910
londn        135
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...