Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to put found and not found results of search in two different lists

pitmod
Explorer
‎08-13-2020 01:56 AM

Hi,

I have the following search and sub-search:

index=someindex source=somesource | search [search index=otherindex source=othersource | fields hostname]

My subsearch generates list of hostnames. As a result I'd like to get list of hosts that have been found by main search and list of hosts that have not been found. 

The hosts not found I'd like to put in one table and the on hosts found apply some filter and present in another table.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2020 02:18 AM

Hi @pitmod,

do you want one search (or panel) or two?

if you want two searches, you can run something like these:

Search 1 (included):

index=someindex source=somesource [search index=otherindex source=othersource | fields hostname]
| ...

search 2 (not included):

index=someindex source=somesource NOT search index=otherindex source=othersource | fields hostname]
| ...

If instead you want only one search:

(index=someindex source=somesource) OR (index=otherindex source=othersource)
| stats dc(index) AS dc_index values(index) AS index BY hostname
| eval status=if(dc_index="2", "Both", if(index="someindex","Only someindex","Only otherindex"))
| table hostname status

Al the searches can run if the field hostname is present in both the indexes, if not you have to rename one of them.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2020 02:18 AM

Hi @pitmod,

do you want one search (or panel) or two?

if you want two searches, you can run something like these:

Search 1 (included):

index=someindex source=somesource [search index=otherindex source=othersource | fields hostname]
| ...

search 2 (not included):

index=someindex source=somesource NOT search index=otherindex source=othersource | fields hostname]
| ...

If instead you want only one search:

(index=someindex source=somesource) OR (index=otherindex source=othersource)
| stats dc(index) AS dc_index values(index) AS index BY hostname
| eval status=if(dc_index="2", "Both", if(index="someindex","Only someindex","Only otherindex"))
| table hostname status

Al the searches can run if the field hostname is present in both the indexes, if not you have to rename one of them.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

pitmod
Explorer
‎08-13-2020 04:30 AM

Thanks Giuseppe, the second approach would work for me. The issue is that the fields have different names and format: hostname for someindex is base name and host for otherindex is fqdn. I've tried to run eval and rename like here:

(index=someindex source=somesource) OR (index=otherindex source=othersource)
| eval myhostname=mvindex(split(host,"."),0) 
| rename myhostname as hostname 
| stats dc(index) AS dc_index values(index) AS index BY hostname

but it returns only hostnames for the otherindex search so sth is not right. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2020 10:27 AM

Hi @pitmod,

if the answer solves your problem, please accept it for the Community, otherwise tell me how can I help you.

Ciao ang good splunking.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

pitmod
Explorer
‎08-14-2020 12:14 AM

I fixed it by renaming both fields. Thanks

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...