Re: How to append a subsearch where count < 50?

subtrakt · ‎12-02-2014

Hello -
Any suggestions on how to append a subsearch where count < 50?

...|stats count | where count < 50 | append [search | rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | lookup dnslookup clientip AS testIP]

somesoni2 · ‎12-02-2014

Try this workaround

your base search  | appendpipe [| stats count | eval temp=1|append [ your subsearch ] 
| eventstats values(count) as count | where count<50 AND temp!=1]

subtrakt · ‎12-02-2014

I have tried this but it doesn't seem to resolve the IPs or show the testIP field when the count is < 50. I have tested the base search and it does work. I will play around with it some more tomorrow.

index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]

subtrakt · ‎12-02-2014

index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]

somesoni2 · ‎12-02-2014

Could you provide more information? You have a base search and want to append result of a subsearch only when base search have more than 50 events?

subtrakt · ‎12-02-2014

So if it is < 50 events, the rex + lookup should run. if > 50 the rex+lookup shouldn't run...

subtrakt · ‎12-02-2014

Yup, you got it.

vasanthmss · ‎12-02-2014

Try this,

search.... | eventstats count | where count < 50 | do the rex...

V

How to append a subsearch where count < 50?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!