Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create Search output replicating fields for other fields?

Cranie
Explorer
‎09-08-2023 01:35 PM

Hi,

I am trying to run a search and have tokens setting various search items, what I need is to create a search from an input file and have one field referenced many times for different fields.

My search is:

 

 

| inputlookup errorLogs
  | where RunStartTimeStamp == "2023-01-26-15.47.24.000000"
  | where HostName == "myhost.com"
  | where JobName == "runJob1"
  | where InvocationId == "daily"
  | fields RunID, ControllingRunID 
  | uniq
  | format "(" "(" "OR" ")" "||" ")"

 

 

 

This gives:

 

 

( ( ControllingRunID="12345" OR RunID="67890" ) )

 

 

 

What I would like is:

 

 

( ( ControllingRunID="12345" OR RunID="67890" 
            OR RunID="12345" OR ControllingRunID="67890") )

 

 

 

There could be many id pairs of run/controlling ID's and I want to search on any combination if possible.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2023 10:48 PM

Hi @Cranie,

if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could  simplify your token search:

 

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") 
| eval RunID = coalesce(RunID, ControllingRunID)
| stats values(RunID) as RunID

 

If instead you could have in the same event both the two fields, you should use a more structured search:

in the token:

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
| rename RunID AS token
| fields token
| append [ 
   | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
   | rename ControllingRunID AS token
   | fields token ]
| dedup token
| fields token

and in the search:

<your_search> (ControllingRunID="$token$" OR RunID="$token$")

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2023 10:48 PM

Hi @Cranie,

if in your events you have one of the two fields RunID, ControllingRunID, you can use the solution from @yuanliu even if you could  simplify your token search:

 

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily") 
| eval RunID = coalesce(RunID, ControllingRunID)
| stats values(RunID) as RunID

 

If instead you could have in the same event both the two fields, you should use a more structured search:

in the token:

| inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
| rename RunID AS token
| fields token
| append [ 
   | inputlookup errorLogs WHERE (RunStartTimeStamp == "2023-01-26-15.47.24.000000" AND HostName == "myhost.com" AND JobName == "runJob1" AND InvocationId == "daily")
   | rename ControllingRunID AS token
   | fields token ]
| dedup token
| fields token

and in the search:

<your_search> (ControllingRunID="$token$" OR RunID="$token$")

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Cranie
Explorer
‎09-11-2023 02:22 AM

I could not get the solution that @yuanliu gave (in the way I needed). 

I have managed to get this to work, many many thanks.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-11-2023 02:37 AM

Hi @Cranie ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-11-2023 03:45 AM

Noted - done thanks for the head up. 👍

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-08-2023 02:45 PM

Instead of muscling SPL to give you lots of "OR" expressions (which also slows down performance), it is much more profitable to change your search that will use this token to match distinct values.

First, change $my_token$ definition from a logical expression to simple enumeration.

 

| inputlookup errorLogs
  | where RunStartTimeStamp == "2023-01-26-15.47.24.000000"
  | where HostName == "myhost.com"
  | where JobName == "runJob1"
  | where InvocationId == "daily"
| eval RunID = coalesce(RunID, ControllingRunID)
| stats values(RunID) as RunID

 

This gives RunID = ("12345", "67890").  Use this value as $my_token$.

Then, in your search, do the same.

 

<search setups> (RunID IN ($my_token$) OR ControllingRunID IN ($my_token$))

 

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top