Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to iterate through lists of values in Splunk?

pramit46
Contributor
‎12-04-2016 10:02 PM

I have two lists in my dashboard which are inter dependent. I need to iterate through each list values of L1 and put them in another search to get another list ,and then group them together to show them on the dashboard.

Let's say query Q1 returns the list L1, where each value has multiple values associated with the second list L2. So I want to use each value of L1 and use them in another query Q2, that would return L2. and then group them by each value of L1 and show it in an individual block.

L1.V1 (outcome of Q1):
|L2.v1 (outcome of Q2)|
|L2.v6 (outcome of Q2)|
|L2.v7 (outcome of Q2)|

L1.V2 (outcome of Q1):
|L2.v2 (outcome of Q2)|
|L2.v4 (outcome of Q2)|
|L2.v5 (outcome of Q2)|

Any idea, how to achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2016 11:57 PM

Hi pramit46,
I think that values in both the searches are related to a field (e.g. Key) if field name is different in the two searches, you must rename it in the sub search.
So you should try something like this:
Search2 [ search search1 | rename Key1 AS Key | fields Key] | stats values(L2) AS L2 count by Key

It is different if values of L1 aren't in a field, so you can use L1 to search in L2 but it's more difficoult to Group by, every eay try something like this:
Search2 [ search Search2 | rename Key1 AS query | fields query | stats count by Key2
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2016 11:57 PM

Hi pramit46,
I think that values in both the searches are related to a field (e.g. Key) if field name is different in the two searches, you must rename it in the sub search.
So you should try something like this:
Search2 [ search search1 | rename Key1 AS Key | fields Key] | stats values(L2) AS L2 count by Key

It is different if values of L1 aren't in a field, so you can use L1 to search in L2 but it's more difficoult to Group by, every eay try something like this:
Search2 [ search Search2 | rename Key1 AS query | fields query | stats count by Key2
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎12-05-2016 10:23 AM

Thanks @cusello. It helped. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...