I'm using a dashboard to display the state of some services. For this purpose, I must takes single values from many searches to obtain a final value, like value = valu1 * value2 * value3 ... valuen
The searches are like:
Search1:
search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value1=State_01*State_02* ... *StateNN
Search2:
search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value2=State_01*State_02* ... *StateNN
SearchN:
search index=indexN sourcetype=sourceN earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval valueN=State_01*State_02* ... *StateNN
and finally,
| eval value=value1*value2*...*valueN
Each search works fine separately, but not together. I was using join, like this:
search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value1=State_01*State_02* ... *StateNN
| join value2
[ search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value2=State_01*State_02* ... *StateNN ]
| eval value=value1*valu2
And Splunk keeps telling me No results found. What I'm doing wrong?
Regards,
Pedro
I found an answer on this link https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html
It works, like a charm...
Thank you very much to all.
Regards
I found an answer on this link https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html
It works, like a charm...
Thank you very much to all.
Regards
Hi prsepulv,
let me understand, why don't you use a only one search with OR clause? in this way you haven't subsearches limit.
(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now()
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value1=State_01*State_02* ... *StateNN
Then you can calculate the things you want and display the values you like, e.g. if you want some Single Values panel that display the first value (or max or sum) for each index, you can run
(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now()
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value=State_01*State_02* ... *StateNN
| stats first(value) AS value BY index
so you can display it in a panel or in multiple Single Panel using Trellis.
Bye.
Giuseppe
I tried to use it, however I calculate values from fields extracted with regex and apparently I can use only one rex field=_raw extraction by query. If I try to use a second regex extraction, the previous data, extracted and calculated, are gone. Also the records of each search have differents lenghts and don't have any relation between them.
Hi,
Joins are used to join 2 different search with common variable . In this scenario value* is some thing you are calculating for each search . So you should use appendcols instead of join .
I'm trying to use appendcols, the problem is that values calculated inside subsearch aren't shared to main search. In each subsearch I find the last register and parse it with regex. And with the parsed data I calulate a single value. After that I would like to use that value on main search, with anothers values to calculate a main value.
The different subsearchs are absolutely independents between them and doesn't share none data. Also lenght of registers is differente in each subsearch.
Regards