Splunk Search

How to define multiple search or subsearch to merge all relevant information about alerts?

gszabo
Explorer

Hello,

Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.

Interesting fields in search are  the hosts - as managed_host field and an uniqe alert number.

I do not need alert about all the hosts, so i sort the relevant ones: 

index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |  eval alert=alert_num

Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.)

Index=main alert_num=$alert$

How could be merged this two search in one to generate an alert that will contain all relevant information?

Thanks,

Gabor

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | format]
0 Karma

gszabo
Explorer

Thanks for the reply.

Almost good. the subseach returns the relevant alert numbers, thats okay. 

alert_num search

1 

( ( alert_num="484316" ) OR ( alert_num="484263" ) OR ( alert_num="484243" ) )

 

But the whole query do not shows all the relevant logs with the selected alert numbers, just ones what contains the managed_host field.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The subsearch is just returning alert numbers not managed_host values so the outer search should be searching the whole index for events with these alert_num values.

Has the alert_num field been extracted on the non-managed_hosts?

Can you pick a returned alert number and try just searching you main index with that value to see what you get?

0 Karma

gszabo
Explorer

Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search.

the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

gszabo
Explorer

Yes, thats works now. Arbor logs without any structure... i love it.

Thank you very much!

 

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...