Splunk Search

How to create Search output replicating fields for other fields?

Cranie
Explorer

Hi,

I am trying to run a search and have tokens setting various search items, what I need is to create a search from an input file and have one field referenced many times for different fields.

My search is:

 

 

| inputlookup errorLogs
  | where RunStartTimeStamp == "2023-01-26-15.47.24.000000"
  | where HostName == "myhost.com"
  | where JobName == "runJob1"
  | where InvocationId == "daily"
  | fields RunID, ControllingRunID 
  | uniq
  | format "(" "(" "OR" ")" "||" ")"

 

 

 

This gives:

 

 

( ( ControllingRunID="12345" OR RunID="67890" ) )

 

 

 

What I would like is:

 

 

( ( ControllingRunID="12345" OR RunID="67890" 
            OR RunID="12345" OR ControllingRunID="67890") )

 

 

 

There could be many id pairs of run/controlling ID's and I want to search on any combination if possible.

Labels (2)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Cranie,

if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could  simplify your token search:

 

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") 
| eval RunID = coalesce(RunID, ControllingRunID)
| stats values(RunID) as RunID

 

If instead you could have in the same event both the two fields, you should use a more structured search:

in the token:

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
| rename RunID AS token
| fields token
| append [ 
   | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
   | rename ControllingRunID AS token
   | fields token ]
| dedup token
| fields token

and in the search:

<your_search> (ControllingRunID="$token$" OR RunID="$token$")

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Cranie,

if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could  simplify your token search:

 

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") 
| eval RunID = coalesce(RunID, ControllingRunID)
| stats values(RunID) as RunID

 

If instead you could have in the same event both the two fields, you should use a more structured search:

in the token:

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
| rename RunID AS token
| fields token
| append [ 
   | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
   | rename ControllingRunID AS token
   | fields token ]
| dedup token
| fields token

and in the search:

<your_search> (ControllingRunID="$token$" OR RunID="$token$")

Ciao.

Giuseppe

Cranie
Explorer

I could not get the solution that @yuanliu gave (in the way I needed). 

I have managed to get this to work, many many thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Cranie ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

Cranie
Explorer

Noted - done thanks for the head up. 👍

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Instead of muscling SPL to give you lots of "OR" expressions (which also slows down performance), it is much more profitable to change your search that will use this token to match distinct values.

First, change $my_token$ definition from a logical expression to simple enumeration.

 

| inputlookup errorLogs
  | where RunStartTimeStamp == "2023-01-26-15.47.24.000000"
  | where HostName == "myhost.com"
  | where JobName == "runJob1"
  | where InvocationId == "daily"
| eval RunID = coalesce(RunID, ControllingRunID)
| stats values(RunID) as RunID

 

This gives RunID = ("12345", "67890").  Use this value as $my_token$.

Then, in your search, do the same.

 

<search setups> (RunID IN ($my_token$) OR ControllingRunID IN ($my_token$))

 

 

Tags (1)
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...