Splunk Search
Highlighted

How to iterate through lists of values in Splunk?

Contributor

I have two lists in my dashboard which are inter dependent. I need to iterate through each list values of L1 and put them in another search to get another list ,and then group them together to show them on the dashboard.

Let's say query Q1 returns the list L1, where each value has multiple values associated with the second list L2. So I want to use each value of L1 and use them in another query Q2, that would return L2. and then group them by each value of L1 and show it in an individual block.


L1.V1 (outcome of Q1):
|L2.v1 (outcome of Q2)|
|L2.v6 (outcome of Q2)|
|L2.v7 (outcome of Q2)|


L1.V2 (outcome of Q1):
|L2.v2 (outcome of Q2)|
|L2.v4 (outcome of Q2)|
|L2.v5 (outcome of Q2)|

Any idea, how to achieve this?

0 Karma
Highlighted

Re: How to iterate through lists of values in Splunk?

Legend

Hi pramit46,
I think that values in both the searches are related to a field (e.g. Key) if field name is different in the two searches, you must rename it in the sub search.
So you should try something like this:
Search2 [ search search1 | rename Key1 AS Key | fields Key] | stats values(L2) AS L2 count by Key

It is different if values of L1 aren't in a field, so you can use L1 to search in L2 but it's more difficoult to Group by, every eay try something like this:
Search2 [ search Search2 | rename Key1 AS query | fields query | stats count by Key2
Bye.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: How to iterate through lists of values in Splunk?

Contributor

Thanks @cusello. It helped. 🙂

0 Karma