Splunk Search

How to define multiple search or subsearch to merge all relevant information about alerts?

gszabo
Explorer

Hello,

Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.

Interesting fields in search are  the hosts - as managed_host field and an uniqe alert number.

I do not need alert about all the hosts, so i sort the relevant ones: 

index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |  eval alert=alert_num

Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.)

Index=main alert_num=$alert$

How could be merged this two search in one to generate an alert that will contain all relevant information?

Thanks,

Gabor

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | format]
0 Karma

gszabo
Explorer

Thanks for the reply.

Almost good. the subseach returns the relevant alert numbers, thats okay. 

alert_num search

1 

( ( alert_num="484316" ) OR ( alert_num="484263" ) OR ( alert_num="484243" ) )

 

But the whole query do not shows all the relevant logs with the selected alert numbers, just ones what contains the managed_host field.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The subsearch is just returning alert numbers not managed_host values so the outer search should be searching the whole index for events with these alert_num values.

Has the alert_num field been extracted on the non-managed_hosts?

Can you pick a returned alert number and try just searching you main index with that value to see what you get?

0 Karma

gszabo
Explorer

Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search.

the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

gszabo
Explorer

Yes, thats works now. Arbor logs without any structure... i love it.

Thank you very much!

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...