How to multisearch using values from more than one...

amitrinx · ‎01-10-2023

I have two lookups
RLQuotas: Endpoint, Endpoint Name, filter, quota, Window
RLFilters: Attribute, filter

I want to loop through all the endpoints. all endpoints have a specific window, quota and filter and i am searching it based on filter attribute
I want output fields Endpoint Name, filter, Quota

This is the query i came up with

| inputlookup ID-RL-Quotas | lookup ID-RL-Filters Filter | fields Endpoint, "Endpoint Name", Attribute, Window, Quota, Filter | rename "Endpoint Name" as EndpointName
| map [| eval Window = tonumber($Window$) | search sourcetype="some"
http_url = "$Endpoint$"
minutesago=Window
| eval ip = mvindex(split(http_remoteip,","),0)
| eval EndpointName = "$EndpointName$"
| eval WindowI ="$Window$"
| eval QuotaI="$Quota$"
| eval FilterI="$Filter$"
| search $Attribute$ = "*"
| stats values(EndpointName) as "Endpoint Name", values(FilterI) as Filter, values(WindowI) as Window, values(QuotaI) as Quota, count by $Attribute$
| where count >= 0.8 * $Quota$
| sort -count] maxsearches=10000

This only gives me one filter output not all

PickleRick · ‎01-10-2023

Firstly, the topic says "multisearch" and you're using map.

Secondly, you don't have any event-generating commands in your map.

Thirdly, most probably this isnot the way to solve your problem.

How to multisearch using values from more than one lookup?

other

table

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM