Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to dynamic assign variable to maxspan and span
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mpaw
Explorer
02-26-2019
12:41 AM
Hi,
I want to create a dynamic variable containing the span value on my index search. I have a lookup file that has corresponding value then it will lookup to the index search and update the span value. Unfortunately, I cannot get it to work. Any tips/ideas?
Instead of:
maxspan=7m; span=240m
It will be like this:
maxspan=duration1; span=duration1
Here is my script below:
| search Id="*"
| lookup error_rules.csv EventSubType as EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| eval recorrenceWindow=$span_time$
| eval duration=floor($recorrenceWindow$)
| eval duration1=duration+"m"
| transaction Id PublisherMessage maxspan=7m
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time
| bucket _time span=240m
| stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time
Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit
Failed to Ping Computer,Critical,7,0,0,0
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-28-2019
10:58 PM
Like this:
| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mpaw
Explorer
03-01-2019
09:52 AM
I tried using the map command in my index but my lookup return is getting messed up also the maxspan is not taking effect. Below is my updated script:
| search Id="*"
| lookup error_rules.csv EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| table Id PublisherMessage EventSubType PublisherTimestamp alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| map search="search index=* | transaction Id PublisherMessage maxspan=$span_time$"
| stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time |
|---|
Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit
Failed to Ping Computer,Critical,7m,0,0,0
Application Error,Warning,5m,0,0,0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-28-2019
10:58 PM
Like this:
| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
02-26-2019
06:23 AM
Define the field upfront and pass it to the map command like this example:
| makeresults
| eval field="member_guid"
| map search="search index=_internal
| transaction $field$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-01-2019
03:08 AM
@mpaw please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
