Splunk Search

How to use append/multireport in a panel search or using multisearch with map?

djohnson99
Explorer

Hello!

I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in times between the events. However I'm struggling to either make the multisearch work with map, or multireport/append work in a panel, even though those searches work just fine in the regular search bar.

To give you an idea, I have the failed multisearch (which doesn't work due to me using map):

| multisearch 
[| search index=index1 "First text string"]
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]

| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

 Obviously this doesn't work due to non-streaming commands, but multireport does, however it does not work in a standard statistics table panel, or any other panel that I've tried, just giving me a "search is waiting for input" message:

| multireport
[| search index=index1 "First text string"]
[| search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]

| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference


The other option is append which once again works in the regular search but not in the panel search:

index=index1 "First text string"
| append
[ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| map search="search index=index1 message = $LookUp$*"]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

I've been  trying to find a way to do this but with no luck - if anyone has anything they can spot or advise that would be greatly appreciated.

Thank you!

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]
| stats earliest(_time) as time1, latest(_time) as time2
| eval difference=time2-time1
| eval difference=tostring(difference, "duration")
| table time1 time2 difference

djohnson99
Explorer

Thanks @ITWhisperer 

That is now giving me a table on the panel, however is only returning one result now. I suspect the issue is with the regex/eval command.  Just putting in this into the search returns nothing:

index=index1 "First text string"
| append
[ search index=index1 [ search index=index1 "text string for regex lookup"
| rex field=message "^(?<LookUp>\d+)\s"
| eval message = LookUp
| fields message] ]


The regex is grabbing a number at the start of the message, so "123456 etc etc etc" and previously worked in my other attempts so I'm assuming is fine, I suspect the issue is with the eval message = Lookup line, as manually putting in " "123456*" " returns results, so I need the LookUp regex field with a wildcard at the end. 

I've tried combinations of "$LookUp$*", '$LookUp$*' etc but nothing seems to work there either.  Using LookUp* without quotes returns a "The expression is malformed. The factor is missing." error.

Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try changing the eval to this

| eval message = "*".LookUp."*"

djohnson99
Explorer

That did it - I managed to trim it down just to LookUp."*" as I only needed to wildcard the end but all is well now.

Thank you very much for your help!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...