Solved: How to do multiple searches at once?

BITSIntern · ‎07-14-2015

Hi guys,

I need to have multiple searches running that pull up a word from the same field and replace it with another (doing this:** | eval word = if (word="racist","race",word) | stats count by word** ). My problem is I want to do this multiple times with different words but when I tried append, appendcols, join, or saving the searches, they never work out quite right. The closest I have gotten is this in my search bar:
sourcetype="socialist action" "government" OR "govern" | eval word = if (word="govern","government",word) | stats count by word | appendcols[search sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = if (word="racist","race",word) | stats count by word]

But it still leaves another government:
word count
government 1094
government 16
race 405

Do any of you have a suggestion on how to fix this? Please let me know!

sk314 · ‎07-14-2015

Try this:

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government") | stats count by word

EDIT: assuming you have a field named "word" already extracted/populated

View solution in original post

sk314 · ‎07-14-2015

Try this:

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government") | stats count by word

EDIT: assuming you have a field named "word" already extracted/populated

BITSIntern · ‎07-14-2015

hmm its weird, it worked but it forgot a few of the events...
so it gave me 1078 for government instead of 1094 and 314 for race instead of 405

sk314 · ‎07-14-2015

how did you validate those numbers?

BITSIntern · ‎07-14-2015

the count of govern is 1078 and government is 16 so it should be 1094 together and the count of racist is 314 and race is 91 so it should be 405 together... I guess it did not include the amount of the originial word in the count

sk314 · ‎07-14-2015

ahh, just add those cases in the case statement like so

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government", word =="government", "government", word=="race", "race") | stats count by word

BITSIntern · ‎07-14-2015

THANK YOU!

BITSIntern · ‎07-14-2015

well I know that the count of the word govern plus the count of the word government equals 1094 (1078 + 16 = 1094) and the count of the word racist plus the count of the word race equals 405 (314 + 91 = 405)... I guess it just is not adding the actual word's count to the renamed word

woodcock · ‎07-14-2015

You should do this with a lookup table that looks like this:

synonym,word
race,racist
racist,racist
govern,government
government,government

Then you call it anywhere at any time like this:

... | lookup mylookuptablename synonym AS word OUTPUTNEW word AS word | ...

BITSIntern · ‎07-14-2015

wait where do I put the lookup table? Do I create a transforms.conf file and upload it to splunk?

woodcock · ‎07-16-2015

Do you like working from the GUI or CLI? It is pretty easy, just create the file on your desktop and upload it from Settings -> Lookups -> Lookup table files -> New. Then create a reference to it from Settings -> Lookups -> Lookup definitions -> New. Probably you should expand the permissions on both. Then you can use it just like my answer shows.

How to do multiple searches at once?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?