Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to append a subsearch where count < 50?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to append a subsearch where count < 50?
subtrakt
Contributor
12-02-2014
12:45 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-02-2014
05:37 PM
Try this workaround
your base search | appendpipe [| stats count | eval temp=1|append [ your subsearch ]
| eventstats values(count) as count | where count<50 AND temp!=1]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
subtrakt
Contributor
12-02-2014
08:57 PM
I have tried this but it doesn't seem to resolve the IPs or show the testIP field when the count is < 50. I have tested the base search and it does work. I will play around with it some more tomorrow.
index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
subtrakt
Contributor
12-02-2014
08:59 PM
index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-02-2014
01:20 PM
Could you provide more information? You have a base search and want to append result of a subsearch only when base search have more than 50 events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
subtrakt
Contributor
12-02-2014
02:26 PM
So if it is < 50 events, the rex + lookup should run. if > 50 the rex+lookup shouldn't run...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
subtrakt
Contributor
12-02-2014
02:06 PM
Yup, you got it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vasanthmss
Motivator
12-02-2014
01:01 PM
Try this,
search.... | eventstats count | where count < 50 | do the rex...
V
Get Updates on the Splunk Community!
Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know
To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...
October Community Champions: A Shoutout to Our Contributors!
As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...
Automatic Discovery Part 2: Setup and Best Practices
In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...
