Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Combining/appending multiple makeresults
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkerer
Path Finder
06-06-2021
12:41 AM
I am providing data from one input in the dashboard, and want to search provided input strings in different fields which may include provided inputs. all the fields can contain same data format if they are not empty.
I am using the following search, but not working.
Note: provided input can be single values as well.
Expected result:
index=hashstore
a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc"
OR
b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc"
OR
c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc"
OR
d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"
CURRENT SEARCH -- not giving the expected result.
index=hashstore
[| makeresults
| rename a.hash{} as hash
| eval a.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc"
| eval a.hash=split(a.hash,",")
| mvexpand a.hash
| append
[| makeresults
| rename b.hash{} as b.hash
| eval b.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval b.hash=split(b.hash,",")
| mvexpand b.hash
]
| append
[| makeresults
| rename c.hash{} as c.hash
| eval c.hash ="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval c.hash =split(c.hash ,",")
| mvexpand c.hash
]
| append
[| makeresults
| rename d.hash{} as d.hash
| eval d.hash="aaaaaaaaa,bbbbbbbbbb,ccccccccccc" | eval d.hash=split(d.hash,",")
| mvexpand d.hash
]
| table a.hash, b.hash, c.hash, d.hash
]
Thanks,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-06-2021
01:09 AM
Since
index=hashstore
a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc"
OR
b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc"
OR
c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc"
OR
d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"can be written as
index=hashstore
a.hash="aaaaaaaaa" OR
a.hash="bbbbbbbbbb" OR
a.hash="ccccccccccc" OR
b.hash="aaaaaaaaa" OR
b.hash="bbbbbbbbbb" OR
b.hash="ccccccccccc" OR
c.hash="aaaaaaaaa" OR
c.hash="bbbbbbbbbb" OR
c.hash="ccccccccccc" OR
d.hash="aaaaaaaaa" OR
d.hash="bbbbbbbbbb" OR
d.hash="ccccccccccc"your search can be something like
index=hashstore
[| makeresults
| eval hash=split("abcd","")
| mvexpand hash
| eval hash=hash.".hash"
| eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",")
| mvexpand value
| eval {hash}=value
| fields - _time hash value]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-06-2021
01:09 AM
Since
index=hashstore
a.hash="aaaaaaaaa" OR a.hash="bbbbbbbbbb" OR a.hash="ccccccccccc"
OR
b.hash="aaaaaaaaa" OR b.hash="bbbbbbbbbb" OR b.hash="ccccccccccc"
OR
c.hash="aaaaaaaaa" OR c.hash="bbbbbbbbbb" OR c.hash="ccccccccccc"
OR
d.hash="aaaaaaaaa" OR d.hash="bbbbbbbbbb" OR d.hash="ccccccccccc"can be written as
index=hashstore
a.hash="aaaaaaaaa" OR
a.hash="bbbbbbbbbb" OR
a.hash="ccccccccccc" OR
b.hash="aaaaaaaaa" OR
b.hash="bbbbbbbbbb" OR
b.hash="ccccccccccc" OR
c.hash="aaaaaaaaa" OR
c.hash="bbbbbbbbbb" OR
c.hash="ccccccccccc" OR
d.hash="aaaaaaaaa" OR
d.hash="bbbbbbbbbb" OR
d.hash="ccccccccccc"your search can be something like
index=hashstore
[| makeresults
| eval hash=split("abcd","")
| mvexpand hash
| eval hash=hash.".hash"
| eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",")
| mvexpand value
| eval {hash}=value
| fields - _time hash value]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkerer
Path Finder
06-06-2021
07:22 AM
Thanks for solution, this is working fine, but the issue is my original field names are ending with {}. I forget to mention it, original search should be like below.
How can I get this result?
index=hashstore
a.hash{}="aaaaaaaaa" OR
a.hash{}="bbbbbbbbbb" OR
a.hash{}="ccccccccccc" OR
b.hash{}="aaaaaaaaa" OR
b.hash{}="bbbbbbbbbb" OR
b.hash{}="ccccccccccc" OR
c.hash{}="aaaaaaaaa" OR
c.hash{}="bbbbbbbbbb" OR
c.hash{}="ccccccccccc" OR
d.hash{}="aaaaaaaaa" OR
d.hash{}="bbbbbbbbbb" OR
d.hash{}="ccccccccccc"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-06-2021
08:18 AM
index=hashstore
[| makeresults
| eval hash=split("abcd","")
| mvexpand hash
| eval hash=hash.".hash"
| eval value=split("aaaaaaaaa,bbbbbbbbbb,ccccccccccc",",")
| mvexpand value
| eval {hash}=value
| fields - _time hash value
| rename * as *{}]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkerer
Path Finder
06-07-2021
09:30 AM
Thanks @ITWhisperer you are the best!
Get Updates on the Splunk Community!
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...
Alerting Best Practices: How to Create Good Detectors
At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...
