Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create new field from subsearch results

C_Sparn
Communicator
‎05-02-2014 04:05 AM

Hello,

im looking for a possibility to create a multivalue field from the result list of a subsearch and work with the new field in main search.
Like this:

sourcetype = log [search sourcetype = log|where clause|stats values(Tickets) as NewTickets | fields + NewTickets] | table NewTickets

Is it possible to do something like that?

Greetings

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Okay, so something like this?

sourcetype=log additional filters go here | chart count over TicketState by Day

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Okay, so something like this?

sourcetype=log additional filters go here | chart count over TicketState by Day
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 08:47 AM

That search is now the answer so feel free to accept.

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 07:52 AM

Thank you that is what i was looking for but I changed
|chart count over... to | chart count(Tickets) over...
Can you write an answer that I can vote?

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 03:10 AM

Ok this are some samples how events look like:

Ticket: 2014040310140326 Day: 2014-04-03 TicketState: new
Ticket: 2014040310150426 Day: 2014-04-05 TicketState: closed

Out of such kinds of events I extract my fields like I discribed aboth.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Well, without sample data I'm stuck with guessing what your data looks like. If you'd post some samples...

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 03:10 AM

I dont think thats possible in my case.

With the sourcetype = log i get a event list where each event accords to one Ticket. So each event has one Ticktnumber, a ticket state like (open,closed...) and a day. I have already extracted the fields "tickets" with all ticketnumbers, field "day" with all days, and field "ticketstate" with 4+ states. I think now i need to create a field "close" with all closed ticketnumbers and other fields for the other states. Then:

search with or without subsearches | chart count(open) count(close)... by day

as line chart

Hope that was a better explanation.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 03:10 AM

Something like this?

sourcetype=log additional filters go here | chart count over Tickets by Day
0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎05-05-2014 12:17 AM

Waht I want to do is this:
I have extracted a field called Tickets, which includes all kind of ticktes like open, closed...
Now I want to split the ticktes field values with 4 different (sub)searches into 4 fields("open", "closed"...)
My expected result is a line chart with 4 lines, where each line is the number of values for one kind of ticket. And it should be grouped by a field called Day.
Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-02-2014 09:16 AM

Could you explain what you're trying to achieve using natural language, sample data, and expected results?
I'm not quite able to grasp those from your attempted search.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...