Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to append a subsearch where count < 50?

subtrakt
Contributor
‎12-02-2014 12:45 PM

Hello -
Any suggestions on how to append a subsearch where count < 50? 

...|stats count | where count < 50 | append [search | rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | lookup dnslookup clientip AS testIP]
0 Karma
Reply

somesoni2
Revered Legend
‎12-02-2014 05:37 PM

Try this workaround

your base search  | appendpipe [| stats count | eval temp=1|append [ your subsearch ] 
| eventstats values(count) as count | where count<50 AND temp!=1]
0 Karma
Reply

subtrakt
Contributor
‎12-02-2014 08:57 PM

I have tried this but it doesn't seem to resolve the IPs or show the testIP field when the count is < 50. I have tested the base search and it does work. I will play around with it some more tomorrow.

index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]

0 Karma
Reply

subtrakt
Contributor
‎12-02-2014 08:59 PM 
index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]
0 Karma
Reply

somesoni2
Revered Legend
‎12-02-2014 01:20 PM

Could you provide more information? You have a base search and want to append result of a subsearch only when base search have more than 50 events?

0 Karma
Reply

subtrakt
Contributor
‎12-02-2014 02:26 PM

So if it is < 50 events, the rex + lookup should run. if > 50 the rex+lookup shouldn't run...

0 Karma
Reply

subtrakt
Contributor
‎12-02-2014 02:06 PM

Yup, you got it.

0 Karma
Reply

vasanthmss
Motivator
‎12-02-2014 01:01 PM

Try this,

search.... | eventstats count | where count < 50 | do the rex...
V
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...