Splunk Search

How to combine my two searches and run another search when clicking on a field from the results?

garinapavan
Explorer

Hi ,

Request any help for the below questions:

1) I have two different searches:

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS 

Results:
DEQUEUE_ERROS
100

sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers

Results:
Consumers
200

I want to combine both searches and get results like below:

DEQUEUE_ERROS 100
Consumers 200
Can you please help with the search?

Another question: I'm preparing a dashboard based on the above results and if I click on consumers, it has to execute another search below. Is that possible? If so, can you provide some guidance.

sourcetype=bcd operation=* ConsumerServices="*" host=abcd*p |stats count by ConsumerServices | sort -count

Any help is appreciated!

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

One option, if your data volume is not too large, would be to use appendcols. Try this.

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]

This will give you two columns - DEQUEUE_ERROS & Consumers.

In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...

So in your case, it would look like this

        <drilldown>
          <condition field="Consumers">
            <link>http://www.google.com</link>
          </condition>
        </drilldown>

View solution in original post

0 Karma

sundareshr
Legend

One option, if your data volume is not too large, would be to use appendcols. Try this.

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]

This will give you two columns - DEQUEUE_ERROS & Consumers.

In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...

So in your case, it would look like this

        <drilldown>
          <condition field="Consumers">
            <link>http://www.google.com</link>
          </condition>
        </drilldown>
0 Karma

garinapavan
Explorer

Than You ! It is showing the correct statistics , but when it comes to visualization , it is showing up wrong line graph to me , it is showing , x-axis as consumers and Y-axis as Dequeue errors ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...