- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use append/multireport in a panel search or...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in times between the events. However I'm struggling to either make the multisearch work with map, or multireport/append work in a panel, even though those searches work just fine in the regular search bar.
To give you an idea, I have the failed multisearch (which doesn't work due to me using map):
| multisearch
[| search index=index1 "First text string"]
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
Obviously this doesn't work due to non-streaming commands, but multireport does, however it does not work in a standard statistics table panel, or any other panel that I've tried, just giving me a "search is waiting for input" message:
| multireport
[| search index=index1 "First text string"]
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
The other option is append which once again works in the regular search but not in the panel search:
index=index1 "First text string"
| append
[ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
I've been trying to find a way to do this but with no luck - if anyone has anything they can spot or advise that would be greatly appreciated.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer
That is now giving me a table on the panel, however is only returning one result now. I suspect the issue is with the regex/eval command. Just putting in this into the search returns nothing:
index=index1 "First text string" | append [ search index=index1 [ search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | eval message = LookUp | fields message] ]
The regex is grabbing a number at the start of the message, so "123456 etc etc etc" and previously worked in my other attempts so I'm assuming is fine, I suspect the issue is with the eval message = Lookup line, as manually putting in " "123456*" " returns results, so I need the LookUp regex field with a wildcard at the end.
I've tried combinations of "$LookUp$*", '$LookUp$*' etc but nothing seems to work there either. Using LookUp* without quotes returns a "The expression is malformed. The factor is missing." error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try changing the eval to this
| eval message = "*".LookUp."*"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it - I managed to trim it down just to LookUp."*" as I only needed to wildcard the end but all is well now.
Thank you very much for your help!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
