How to use the results of one search (2 sources) a...

dbcase · ‎06-28-2016

How do I use the results of one search (2 sources) as input to a second search (3rd source)?

Here is what I have (but it isn’t working):

index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE | fields + PREMISE]) INCLUDE [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE]|where QUEUED_TIME

Breakdown is this

Reboots_requests_Summary.csv is compared against reboots_summary.csv by PREMISE ID. If there is NOT a matching PREMISE entry in reboots_summary then include that event in the results (THIS WORKS)
Skipping the INCLUDE search for now (will come back to this later)
The Where clause compares the results of the first search (step 1) so that only results where the QUEUED_TIME is less than the RESULT_TIME are selected (THIS WORKS)
Display PREMISE, QUEUED_TIME and RESULT_TIME in a table (THIS WORKS)

Back to the INCLUDE (step 2). First this is when I add this I get no results so it isn’t working. What I need to do is to use the results of step 1 to search a 3rd file so I get events that are identified by PREMISE that are in-between QUEUED_TIME and RESULT_TIME. I would need to run a transaction by PREMISE where the transaction starts with (field)=Ethpwrloss and ends with (field)=ethpwrlossres and then get the duration.

The transaction and duration are easy enough. I’m stuck on the search….

gfreitas · ‎06-28-2016

Hi,

The way you used the [ and ] are correct. What is the result of that search?

[search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE | fields + PREMISE]) INCLUDE [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE]

dbcase · ‎06-28-2016

index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE|table PREMISE])|table PREMISE

This works

index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE|table PREMISE]) [search source=/home/oracle/workdir/overall_ac_power.csv|table PREMISE]

but sadly no joy on this one

gfreitas · ‎06-28-2016

Hi dbcase,

I think you can just ommit the INCLUDE operator, this will add the results of the search [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE] as a filter to the previous events. The full search would ne smth like:

index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv | dedup PREMISE | fields + PREMISE]) [search source=/home/oracle/workdir/overall_ac_power.csv | dedup PREMISE | fields + PREMISE]|where QUEUED_TIME

I just didn't understand the last arguments "where QUEUED_TIME".

Hope this helps

dbcase · ‎06-28-2016

odd, things keep getting truncated......

I still don't get results but let me ask a further question....

Once the first part of the query (within the () ) executes it then matches it with the second part of the query by using the common field PREMISE, correct?

gfreitas · ‎06-28-2016

Yes, but I think you should use the command "table PREMISE" instead of "fields + PREMISE". What is the result of that search:

source=/home/oracle/workdir/overall_ac_power.csv | dedup PREMISE | fields + PREMISE?? If it's a table with PREMISE and it's values it's correct and it will filter the other results.

dbcase · ‎06-28-2016

And I'm not sure if INCLUDE is the right operator, no other operator I've tried seems work

dbcase · ‎06-28-2016

Hey Gfreitas! Thanks for the prompt reply! I dunno why but the details on what is happening were left off my original question. I just posted them in the comments.

Summary is, if the INCLUDE [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE] portion is OMITTED then I get results, otherwise no results 😞

dbcase · ‎06-28-2016

Breakdown is this

  Reboots_requests_Summary.csv is compared against reboots_summary.csv by PREMISE ID.  If there is NOT a matching PREMISE entry in reboots_summary then include that event in the results (THIS WORKS)

  Skipping the INCLUDE search for now (will come back to this later)

  The Where clause compares the results of the first search (step 1) so that only results where the QUEUED_TIME is less than the RESULT_TIME are selected (THIS WORKS)

  Display PREMISE, QUEUED_TIME and RESULT_TIME in a table (THIS WORKS)

Back to the INCLUDE (step 2). First this is when I add this I get no results so it isn’t working. What I need to do is to use the results of step 1 to search a 3rd file so I get events that are identified by PREMISE that are in-between QUEUED_TIME and RESULT_TIME. I would need to run a transaction by PREMISE where the transaction starts with (field)=Ethpwrloss and ends with (field)=ethpwrlossres and then get the duration.

The transaction and duration are easy enough. I’m stuck on the search….

How to use the results of one search (2 sources) as input to a second search (3rd source)?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...