Splunk Search

How can I go through a search for different input values and store the results into summary index?

jagadeeshm
Contributor

I have the following combinations of name and code:

    Name    Code
    AAA     M
    BBB     C
    ZZZ     K
    …
    …
    …
[fixed combination of these, like 10 or so].

For each of these Name/Code combinations, I want to run the following search and store the output to a summary index:

index=common sourcetype=web 
    | eval match = if((some_name_1=AAA AND some_code_1=M ) OR (some_name_2=AAA AND some_code_2=M ), 1, 0)
    | eval some_name=AAA
| eval some_code=M
| bucket _time span =1h
    | stats count(eval(price=1) AND NOT(some_name_2!="AAA" AND some_flag=Y) OR …..) as totalEquals, count as total by _time, some_name, some_code
    | eval pct=round((totalEquals/total)*100,2) 
| stats max(pct) max(total) by _time some_name some_code
    | collect index=summary_index source="SOME_STATS" 

I am planning to store above Name/Code combination in KV Store and iterate through the combination and pass them to the above search. Wondering what is the best way to loop through and get the results?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I really have no idea what your use case is for this part...

| stats count(eval(price=1) AND NOT(some_name_2!="AAA" AND some_flag=Y) OR …..) as totalEquals, count as total by _time, some_name, some_code
 

...because you haven't told us what you actually are trying to do. So, here's a couple of options...


Assumptions - you have a csv file called mynames.csv that has name and code in it, and you only need the records that are matched.

 index=common sourcetype=web 
(  ( [|inputcsv mynames.csv|table name code | rename name as some_name_1, code as some_code_1] )  
OR ( [|inputcsv mynames.csv|table name code | rename name as some_name_2, code as some_code_2] ) )
| rename COMMENT as "The above gets all records where, for name and code in your csv file, ... "
| rename COMMENT as "((some_name_1=name AND some_code_1=code) OR  (some_name_2=name AND some_code_2=code) )"

| rename COMMENT as "figure out what the match was, and count up the total matches for each combination per unit of time."
| eval some_name = coalesce(some_name_1,some_name_2)
| eval some_code = coalesce(some_code_1,some_code_2)
| bucket _time span =1h
   
| stats  (((I have no idea what you are trying to do))) as total_equals, count as total by _time, some_name, some_code


Assumptions - you have a csv file called mynames.csv that has name and code in it, and you want to calculate what percentage of that hour's events are for each match, and let's call everything else "Other" and give it a record.

 index=common sourcetype=web 
 | eval match=if(  (  ( [|inputcsv mynames.csv|table name code | rename name as some_name_1, code as some_code_1] )  
                   OR ( [|inputcsv mynames.csv|table name code | rename name as some_name_2, code as some_code_2] ) ), 1, 0)

| rename COMMENT as "The above sets match=1 for all records where, for name and code in your csv file, ... "
| rename COMMENT as "((some_name_1=name AND some_code_1=code) OR  (some_name_2=name AND some_code_2=code) )"

| rename COMMENT as "figure out what the match was, and count up the total matches for each combination per unit of time."
| eval some_name = if(match=0,"Other",coalesce(some_name_1,some_name_2))
| eval some_code = if(match=0,"Other",coalesce(some_code_1,some_code_2))
| bucket _time span =1h
   
| stats  count as totalEquals by _time, some_name, some_code


| rename COMMENT as  "Calculate the total number of events for that unit of time, and the percentage for each combination"
| eventstats count as total by _time
| eval pct=round((totalEquals/total)*100,2)  
| table _time some_name some_code pct total

| rename COMMENT as  "write it out"
| collect index=summary_index source="SOME_STATS" 

Both of those versions assume that some_name_1 and some_name_2 are mutually exclusive... that they never appear on the same event. If those fields might appear on the same event, then the match test is going to need to be replaced by two lookups

 index=common sourcetype=web 
 | lookup mynameslookup.csv name as some_name_1 code as some_code_1 OUTPUT name as foundname1 code as foundcode1
 | lookup mynameslookup.csv name as some_name_2 code as some_code_2 OUTPUT name as foundname2 code as foundcode2

| rename COMMENT as "figure out what the match was, and count up the total matches for each combination per unit of time."
| eval some_name = coalesce(foundname1,foundname2,"Other") 
| eval some_code = coalesce(foundcode1,foundcode2,"Other") 
| bucket _time span =1h
   
| stats  count as totalEquals by _time, some_name, some_code


...the remainder is the same.


0 Karma

jagadeeshm
Contributor

Splunkers?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try map command.

your search to get the Name and Code combination
| map maxsearches=10 search="Yourcurrent search. Escape double quotes. Replace AAA with $Name$ and M with $Code$."
0 Karma

jagadeeshm
Contributor

I already tried using the |map command, and it always says - "Unable to run the query [my search with replaced tokens]". I even tried escaping and simplifying the search inside map to minimal one just to get the counts ...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...