How to multisearch using values from more than one...

amitrinx · ‎01-10-2023

I have two lookups
RLQuotas: Endpoint, Endpoint Name, filter, quota, Window
RLFilters: Attribute, filter

I want to loop through all the endpoints. all endpoints have a specific window, quota and filter and i am searching it based on filter attribute
I want output fields Endpoint Name, filter, Quota

This is the query i came up with

| inputlookup ID-RL-Quotas | lookup ID-RL-Filters Filter | fields Endpoint, "Endpoint Name", Attribute, Window, Quota, Filter | rename "Endpoint Name" as EndpointName
| map [| eval Window = tonumber($Window$) | search sourcetype="some"
http_url = "$Endpoint$"
minutesago=Window
| eval ip = mvindex(split(http_remoteip,","),0)
| eval EndpointName = "$EndpointName$"
| eval WindowI ="$Window$"
| eval QuotaI="$Quota$"
| eval FilterI="$Filter$"
| search $Attribute$ = "*"
| stats values(EndpointName) as "Endpoint Name", values(FilterI) as Filter, values(WindowI) as Window, values(QuotaI) as Quota, count by $Attribute$
| where count >= 0.8 * $Quota$
| sort -count] maxsearches=10000

This only gives me one filter output not all

PickleRick · ‎01-10-2023

Firstly, the topic says "multisearch" and you're using map.

Secondly, you don't have any event-generating commands in your map.

Thirdly, most probably this isnot the way to solve your problem.

How to multisearch using values from more than one lookup?

other

table

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!