Splunk Search

How to combine my two searches and run another search when clicking on a field from the results?

garinapavan
Explorer

Hi ,

Request any help for the below questions:

1) I have two different searches:

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS 

Results:
DEQUEUE_ERROS
100

sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers

Results:
Consumers
200

I want to combine both searches and get results like below:

DEQUEUE_ERROS 100
Consumers 200
Can you please help with the search?

Another question: I'm preparing a dashboard based on the above results and if I click on consumers, it has to execute another search below. Is that possible? If so, can you provide some guidance.

sourcetype=bcd operation=* ConsumerServices="*" host=abcd*p |stats count by ConsumerServices | sort -count

Any help is appreciated!

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

One option, if your data volume is not too large, would be to use appendcols. Try this.

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]

This will give you two columns - DEQUEUE_ERROS & Consumers.

In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...

So in your case, it would look like this

        <drilldown>
          <condition field="Consumers">
            <link>http://www.google.com</link>
          </condition>
        </drilldown>

View solution in original post

0 Karma

sundareshr
Legend

One option, if your data volume is not too large, would be to use appendcols. Try this.

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]

This will give you two columns - DEQUEUE_ERROS & Consumers.

In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...

So in your case, it would look like this

        <drilldown>
          <condition field="Consumers">
            <link>http://www.google.com</link>
          </condition>
        </drilldown>
0 Karma

garinapavan
Explorer

Than You ! It is showing the correct statistics , but when it comes to visualization , it is showing up wrong line graph to me , it is showing , x-axis as consumers and Y-axis as Dequeue errors ?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...