Splunk Search

Combine and use query results contained in 2 other queries.

h52huang
Path Finder

My data model is like:

Key Source Destination
1 a b
1 b c
1 a c
1 a e

because the source result table is too large, I need to get top 30 results that have 15 most popular ones in each, for Source, and Destination.

I propose:
1. index=bla model=blala | top limit=15 Source as sourcegroup??
2. index=bla model=blala | top limit=15 Destination as destinationgroup?
3. index=bla model=blala where Source is contained in sourcegroup or Destination is contained in destinationgroup?

I don't know how to implement list item 3, and how to combine the results into 1. I searched and tried with multiplesearch, but it did not work. Or if the algorithm is slow, any efficient suggestions please?

Thank you so much.

0 Karma
1 Solution

niketn
Legend

@h52huang if you want to run the search only for the top 15 Sources and Destinations try the following search

index=bla model=blala 
    [ search index=bla model=blala 
    | top limit=15 Source showperc=f showcount=f] 
    [ search index=bla model=blala 
    | top limit=15 Destination showperc=f showcount=f]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@h52huang if you want to run the search only for the top 15 Sources and Destinations try the following search

index=bla model=blala 
    [ search index=bla model=blala 
    | top limit=15 Source showperc=f showcount=f] 
    [ search index=bla model=blala 
    | top limit=15 Destination showperc=f showcount=f]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

h52huang
Path Finder

@niketnilay

Could you share more knowledge on this please? I have been doing a few experiments locally and I am getting confused about the pipeline filtering in subsearches.

index=bla field1=aaa field2=bbb (Source=A OR Destination=A)
[index=bla field1=aaa field2=bbb Source=A | top limit=15 DestinationNode showperc=f showcount=f ]
is returning 75 events (not 15 events).

0 Karma

h52huang
Path Finder

@niketnilay
I seem figured out. 🙂

|union
[subsearch 1]
[subsearch 2]

0 Karma

h52huang
Path Finder
index=bla field1=aaa field2=bbb (Source=A OR Destination=A)
       [index=bla field1=aaa field2=bbb Source=A | top limit=15 Destination showperc=f showcount=f ]
       [index=bla field1=aaa field2=bbb Destinatioe=A | top limit=15 Destination showperc=f showcount=f ]

Does this append the results? My desired it a total of 30 with 15 of Source=A and 15 of Destination=A.

Thank you very much. @niketnilay

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...