Splunk Search

How to use a sub-search result as table fields?

nextpart
Explorer

I am trying to use a search to find fields that I want to use in another search as a table field.

The first search should return all fields that are used in a datamodel. This looks like this:

 

 

| datamodel "Authentication" 
| spath output=foo path=objects{}
| spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
| spath input=foo output=field path=fields{}.displayName
| eval fields = mvappend(calc_field , field)
| mvexpand fields
| table fields

 

 

 

 


Then I want to use the list of fields in the table command. I do this for the reason to be able to check the coverage of the CIM fields in the search. Unfortunately, so far without success, so I am grateful for all ideas and any kind of input.

My first guess was something like:

 

 

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval fields = mvappend(calc_field , field)
   | mvexpand fields
   | format   "" "" "," "" "" ""
   | rex mode=sed field=search "s/fields=//g"
   | rename search as table
]

 

 

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, I missed a line

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval query = mvappend(calc_field , field)
   | fields query
   | mvexpand query
   | format   "" "" "" "" "" ""
]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this:

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval query = mvappend(calc_field , field)
   | mvexpand query
   | format   "" "" "" "" "" ""
]
0 Karma

nextpart
Explorer

Hi @ITWhisperer , thanks for your reply. I already tried that one but get the following error:

Error in 'table' command: Invalid argument: 'calc_field=action'
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, I missed a line

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval query = mvappend(calc_field , field)
   | fields query
   | mvexpand query
   | format   "" "" "" "" "" ""
]
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...