Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Create new field from subsearch results

C_Sparn
Communicator
‎05-02-2014 04:05 AM

Hello,

im looking for a possibility to create a multivalue field from the result list of a subsearch and work with the new field in main search.
Like this:

sourcetype = log [search sourcetype = log|where clause|stats values(Tickets) as NewTickets | fields + NewTickets] | table NewTickets

Is it possible to do something like that?

Greetings

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Okay, so something like this?

sourcetype=log additional filters go here | chart count over TicketState by Day

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Okay, so something like this?

sourcetype=log additional filters go here | chart count over TicketState by Day
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 08:47 AM

That search is now the answer so feel free to accept.

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 07:52 AM

Thank you that is what i was looking for but I changed
|chart count over... to | chart count(Tickets) over...
Can you write an answer that I can vote?

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 03:10 AM

Ok this are some samples how events look like:

Ticket: 2014040310140326 Day: 2014-04-03 TicketState: new
Ticket: 2014040310150426 Day: 2014-04-05 TicketState: closed

Out of such kinds of events I extract my fields like I discribed aboth.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Well, without sample data I'm stuck with guessing what your data looks like. If you'd post some samples...

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 03:10 AM

I dont think thats possible in my case.

With the sourcetype = log i get a event list where each event accords to one Ticket. So each event has one Ticktnumber, a ticket state like (open,closed...) and a day. I have already extracted the fields "tickets" with all ticketnumbers, field "day" with all days, and field "ticketstate" with 4+ states. I think now i need to create a field "close" with all closed ticketnumbers and other fields for the other states. Then:

search with or without subsearches | chart count(open) count(close)... by day

as line chart

Hope that was a better explanation.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Something like this?

sourcetype=log additional filters go here | chart count over Tickets by Day
0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 12:17 AM

Waht I want to do is this:
I have extracted a field called Tickets, which includes all kind of ticktes like open, closed...
Now I want to split the ticktes field values with 4 different (sub)searches into 4 fields("open", "closed"...)
My expected result is a line chart with 4 lines, where each line is the number of values for one kind of ticket. And it should be grouped by a field called Day.
Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-02-2014 09:16 AM

Could you explain what you're trying to achieve using natural language, sample data, and expected results?
I'm not quite able to grasp those from your attempted search.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...