Splunk Search
Highlighted

How to do multiple searches at once?

Path Finder

Hi guys,

I need to have multiple searches running that pull up a word from the same field and replace it with another (doing this:** | eval word = if (word="racist","race",word) | stats count by word** ). My problem is I want to do this multiple times with different words but when I tried append, appendcols, join, or saving the searches, they never work out quite right. The closest I have gotten is this in my search bar:
sourcetype="socialist action" "government" OR "govern" | eval word = if (word="govern","government",word) | stats count by word | appendcols[search sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = if (word="racist","race",word) | stats count by word]

But it still leaves another government:
word count
government 1094
government 16
race 405

Do any of you have a suggestion on how to fix this? Please let me know!

0 Karma
Highlighted

Re: How to do multiple searches at once?

Esteemed Legend

You should do this with a lookup table that looks like this:

synonym,word
race,racist
racist,racist
govern,government
government,government

Then you call it anywhere at any time like this:

... | lookup mylookuptablename synonym AS word OUTPUTNEW word AS word | ...
0 Karma
Highlighted

Re: How to do multiple searches at once?

Path Finder

wait where do I put the lookup table? Do I create a transforms.conf file and upload it to splunk?

0 Karma
Highlighted

Re: How to do multiple searches at once?

Esteemed Legend

Do you like working from the GUI or CLI? It is pretty easy, just create the file on your desktop and upload it from Settings -> Lookups -> Lookup table files -> New. Then create a reference to it from Settings -> Lookups -> Lookup definitions -> New. Probably you should expand the permissions on both. Then you can use it just like my answer shows.

0 Karma
Highlighted

Re: How to do multiple searches at once?

Builder

Try this:

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government") | stats count by word

EDIT: assuming you have a field named "word" already extracted/populated

View solution in original post

Highlighted

Re: How to do multiple searches at once?

Path Finder

hmm its weird, it worked but it forgot a few of the events...
so it gave me 1078 for government instead of 1094 and 314 for race instead of 405

0 Karma
Highlighted

Re: How to do multiple searches at once?

Builder

how did you validate those numbers?

0 Karma
Highlighted

Re: How to do multiple searches at once?

Path Finder

well I know that the count of the word govern plus the count of the word government equals 1094 (1078 + 16 = 1094) and the count of the word racist plus the count of the word race equals 405 (314 + 91 = 405)... I guess it just is not adding the actual word's count to the renamed word

0 Karma
Highlighted

Re: How to do multiple searches at once?

Path Finder

the count of govern is 1078 and government is 16 so it should be 1094 together and the count of racist is 314 and race is 91 so it should be 405 together... I guess it did not include the amount of the originial word in the count

0 Karma
Highlighted

Re: How to do multiple searches at once?

Builder

ahh, just add those cases in the case statement like so

sourcetype="socialist action" "government" OR "govern" OR "race" OR "racist" | eval word = case(word=="racist","race", word =="govern", "government", word =="government", "government", word=="race", "race") | stats count by word