Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to define multiple search or subsearch to merge all relevant information about alerts?

gszabo
Explorer
‎05-18-2022 12:01 AM

Hello,

Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.

Interesting fields in search are  the hosts - as managed_host field and an uniqe alert number.

I do not need alert about all the hosts, so i sort the relevant ones: 

index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |  eval alert=alert_num

Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.)

Index=main alert_num=$alert$

How could be merged this two search in one to generate an alert that will contain all relevant information?

Thanks,

Gabor

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2022 01:56 AM

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2022 12:26 AM

Try something like this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | format]
0 Karma
Reply
Solved! Jump to solution

gszabo
Explorer
‎05-18-2022 01:01 AM

Thanks for the reply.

Almost good. the subseach returns the relevant alert numbers, thats okay. 

alert_num search

1 

( ( alert_num="484316" ) OR ( alert_num="484263" ) OR ( alert_num="484243" ) )

 

But the whole query do not shows all the relevant logs with the selected alert numbers, just ones what contains the managed_host field.

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2022 01:18 AM

The subsearch is just returning alert numbers not managed_host values so the outer search should be searching the whole index for events with these alert_num values.

Has the alert_num field been extracted on the non-managed_hosts?

Can you pick a returned alert number and try just searching you main index with that value to see what you get?

0 Karma
Reply
Solved! Jump to solution

gszabo
Explorer
‎05-18-2022 01:44 AM

Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search.

the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2022 01:56 AM

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]
Reply
Solved! Jump to solution

gszabo
Explorer
‎05-18-2022 02:02 AM

Yes, thats works now. Arbor logs without any structure... i love it.

Thank you very much!

 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...