Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use append/multireport in a panel search or using multisearch with map?

djohnson99
Explorer
‎05-10-2023 08:31 AM

Hello!

I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in times between the events. However I'm struggling to either make the multisearch work with map, or multireport/append work in a panel, even though those searches work just fine in the regular search bar.

To give you an idea, I have the failed multisearch (which doesn't work due to me using map):

| multisearch 
[| search index=index1 "First text string"] 
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]

| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

 Obviously this doesn't work due to non-streaming commands, but multireport does, however it does not work in a standard statistics table panel, or any other panel that I've tried, just giving me a "search is waiting for input" message:

| multireport
[| search index=index1 "First text string"] 
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]

| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference


The other option is append which once again works in the regular search but not in the panel search:

index=index1 "First text string"
| append
[ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

I've been  trying to find a way to do this but with no luck - if anyone has anything they can spot or advise that would be greatly appreciated.

Thank you!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 09:00 AM

Try something like this

index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 09:00 AM

Try something like this

index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
Reply
Solved! Jump to solution

djohnson99
Explorer
‎05-10-2023 10:43 AM

Thanks @ITWhisperer 

That is now giving me a table on the panel, however is only returning one result now. I suspect the issue is with the regex/eval command.  Just putting in this into the search returns nothing:

index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]


The regex is grabbing a number at the start of the message, so "123456 etc etc etc" and previously worked in my other attempts so I'm assuming is fine, I suspect the issue is with the eval message = Lookup line, as manually putting in " "123456*" " returns results, so I need the LookUp regex field with a wildcard at the end. 

I've tried combinations of "$LookUp$*", '$LookUp$*' etc but nothing seems to work there either.  Using LookUp* without quotes returns a "The expression is malformed. The factor is missing." error.

Tags (2)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 10:50 AM

Try changing the eval to this

| eval message = "*".LookUp."*"
Reply
Solved! Jump to solution

djohnson99
Explorer
‎05-11-2023 01:54 AM

That did it - I managed to trim it down just to LookUp."*" as I only needed to wildcard the end but all is well now.

Thank you very much for your help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...