Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine multiple complicated searches?

s0rbeto
Explorer
‎12-03-2015 03:00 PM

Hi everyone,

I have these 3 searches, and they are all complicated as it looks. Any idea on how to combine them? It's not something regular eval can do though, My thought is to put them into tables maybe?

index=websphere CPUStarvation
| rex "delay is\s+(?P<Value>\d+)\s+seconds" 
| eval Value=Value . " Seconds"
| eval AlertName = "APM WAS: CPU Starvation detected"
| eval Severity="Critical" 
| eval Details = "APM WAS: Error HMGR0152W. Value Field represent thread scheduling delay"
| table AlertName,Details,Severity,Value,host
| collect index=alerts sourcetype=Alerts:APM

index=websphere OutOfMemoryError 
| rex mode=sed field=_raw "s/\n.*//g" 
| rex mode=sed field=_raw "s/^\[.*PDT\]\s+.{8}\s+//g" 
| eval ts=round(_time,0) 
| stats count as Value list(_raw) as msg by ts,host 
| convert ctime(ts) as dt
| eval AlertName = "APM WAS: OutOfMemoryError"
| eval Severity="Critical" 
| eval Details = "OutOfMemoryError"
| table AlertName,Details,Severity,Value,host
| collect index=alerts sourcetype=Alerts:APM

index=websphere HangingThreat
| rex "active for\s+(?P<Value>\d+)\s+milliseconds.*are\s+(?P<threads>\d+)\s+thread" 
| eval Value=round(Value/1000,2)
| eval Value=Value . " Sec"
| eval AlertName = "APM WAS: WAS Hanging Threads"
| eval Severity="Critical" 
| eval Details = "APM WAS: Error WSVR0605W (".threads." Threads hang). Field 'Value' represent thread activity time"
| table AlertName,Details,Severity,Value,host
| collect index=alerts sourcetype=Alerts:APM

thank you

Tags (2)
0 Karma
Reply

NOUMSSI
Builder
‎12-03-2015 04:14 PM

Hi,
try this

| multisearch [search index=websphere CPUStarvation
 | rex "delay is\s+(?P<Value>\d+)\s+seconds" 
 | eval Value=Value . " Seconds"
 | eval AlertName = "APM WAS: CPU Starvation detected"
 | eval Severity="Critical" 
 | eval Details = "APM WAS: Error HMGR0152W. Value Field represent thread scheduling delay"
 | table AlertName,Details,Severity,Value,host
 | collect index=alerts sourcetype=Alerts:APM

]

[search index=websphere OutOfMemoryError 
 | rex mode=sed field=_raw "s/\n.*//g" 
 | rex mode=sed field=_raw "s/^\[.*PDT\]\s+.{8}\s+//g" 
 | eval ts=round(_time,0) 
 | stats count as Value list(_raw) as msg by ts,host 
 | convert ctime(ts) as dt
 | eval AlertName = "APM WAS: OutOfMemoryError"
 | eval Severity="Critical" 
 | eval Details = "OutOfMemoryError"
 | table AlertName,Details,Severity,Value,host
 | collect index=alerts sourcetype=Alerts:APM

]

[search index=websphere HangingThreat
 | rex "active for\s+(?P<Value>\d+)\s+milliseconds.*are\s+(?P<threads>\d+)\s+thread" 
 | eval Value=round(Value/1000,2)
 | eval Value=Value . " Sec"
 | eval AlertName = "APM WAS: WAS Hanging Threads"
 | eval Severity="Critical" 
 | eval Details = "APM WAS: Error WSVR0605W (".threads." Threads hang). Field 'Value' represent thread activity time"
 | table AlertName,Details,Severity,Value,host
 | collect index=alerts sourcetype=Alerts:APM

]

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...