Splunk Search

How to combine my two searches and run another search when clicking on a field from the results?

garinapavan
Explorer

Hi ,

Request any help for the below questions:

1) I have two different searches:

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS 

Results:
DEQUEUE_ERROS
100

sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers

Results:
Consumers
200

I want to combine both searches and get results like below:

DEQUEUE_ERROS 100
Consumers 200
Can you please help with the search?

Another question: I'm preparing a dashboard based on the above results and if I click on consumers, it has to execute another search below. Is that possible? If so, can you provide some guidance.

sourcetype=bcd operation=* ConsumerServices="*" host=abcd*p |stats count by ConsumerServices | sort -count

Any help is appreciated!

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

One option, if your data volume is not too large, would be to use appendcols. Try this.

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]

This will give you two columns - DEQUEUE_ERROS & Consumers.

In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...

So in your case, it would look like this

        <drilldown>
          <condition field="Consumers">
            <link>http://www.google.com</link>
          </condition>
        </drilldown>

View solution in original post

0 Karma

sundareshr
Legend

One option, if your data volume is not too large, would be to use appendcols. Try this.

sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]

This will give you two columns - DEQUEUE_ERROS & Consumers.

In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...

So in your case, it would look like this

        <drilldown>
          <condition field="Consumers">
            <link>http://www.google.com</link>
          </condition>
        </drilldown>
0 Karma

garinapavan
Explorer

Than You ! It is showing the correct statistics , but when it comes to visualization , it is showing up wrong line graph to me , it is showing , x-axis as consumers and Y-axis as Dequeue errors ?

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...