Splunk Search

Can you help me with my query within a query?

New Member


I am trying to see if this type of query is possible

I am creating an alert base on 2 conditions.

The first condition must be met and then check the second condition

First Condition: tid result be unique and more than 4 results return
Second Condition: host must be unique and must be more than 1 hosts


("ERROR")|dedup tid|eval hostname=substr(host,1,5)

It will return something like this

Original host name is


The eval will give me

londn and eurpn

I am able to get the first condition working. Once I get the first condition met, I will need to check the result to make sure it comes from more than 1 host (without the 1 and 2 in the hostname).

How should I go about this?

Tags (1)
0 Karma

New Member

Thank you.

0 Karma


You don't need to overcomplicate your query. you are just pulling additional information out of what you have already done, not doing another query.

your search
| stats values(host) as host by tid
| where mvcount(host)>3
| mvexpand host
| eval shost=substr(host,1,5)
| stats values(host) as host values(shost) as shost by tid
| where mvcount(shost) > 1

Of course, once you review that code, you really don't need to put it together, pull it all apart and put it back together again.

Just do it this way...

your search
| eval shost=substr(host,1,5)
| stats values(host) as host values(shost) as shost by tid
| where mvcount(shost) > 1 AND mvcount(host)>3
0 Karma



Can we use mvcount to get result requested in the question?
Let's say we have multi-valued field like cve


Then we can apply
...|eval cvecount=mvcount(split(cve,";))

That will give us result

cvecount cve
6               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892;CVE-2011-1893
5               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892
3               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890

@mansinchu , I believe, wants to accomplish the following :

Alert needs to be triggered when number of unique tid values is more than 4 with numbers of unique host values more than one

For example:
These results should trigger the alert : 5 unique tid with 2 unique hosts (londn and eurpn)

host        tid
londn       123
londn        456
eurpn        786
eurpn        910
eurpn        135

These results should not trigger the alert: 4 unique tid values but with just one unique host londh

host        tid
londn       123
londn        456
londn       786
londn        910
londn        135
0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...