Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using append/multireport in a panel search or ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in times between the events. However I'm struggling to either make the multisearch work with map, or multireport/append work in a panel, even though those searches work just fine in the regular search bar.
To give you an idea, I have the failed multisearch (which doesn't work due to me using map):
| multisearch
[| search index=index1 "First text string"]
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
Obviously this doesn't work due to non-streaming commands, but multireport does, however it does not work in a standard statistics table panel, or any other panel that I've tried, just giving me a "search is waiting for input" message:
| multireport
[| search index=index1 "First text string"]
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
The other option is append which once again works in the regular search but not in the panel search:
index=index1 "First text string"
| append
[ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference
I've been trying to find a way to do this but with no luck - if anyone has anything they can spot or advise that would be greatly appreciated.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer
That is now giving me a table on the panel, however is only returning one result now. I suspect the issue is with the regex/eval command. Just putting in this into the search returns nothing:
index=index1 "First text string" | append [ search index=index1 [ search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | eval message = LookUp | fields message] ]
The regex is grabbing a number at the start of the message, so "123456 etc etc etc" and previously worked in my other attempts so I'm assuming is fine, I suspect the issue is with the eval message = Lookup line, as manually putting in " "123456*" " returns results, so I need the LookUp regex field with a wildcard at the end.
I've tried combinations of "$LookUp$*", '$LookUp$*' etc but nothing seems to work there either. Using LookUp* without quotes returns a "The expression is malformed. The factor is missing." error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try changing the eval to this
| eval message = "*".LookUp."*"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it - I managed to trim it down just to LookUp."*" as I only needed to wildcard the end but all is well now.
Thank you very much for your help!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
