Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to replace the time to a variable in the below query.Plz Help

veerendra_modi
Loves-to-Learn
‎03-06-2019 12:02 AM 
| lookup error_rules_latest.csv EventType OUTPUT alert_type wait_time reoccurrence_window threshold_count reoccurrence_window_limit 
| transaction Id Message maxspan=5m | bucket _time span=240m 
| stats list(Timestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventType) AS EventType first(wait_time) as WaitTimeLimit first(threshold_count) AS ReoccurenceThresholdCount first(reoccurrence_window_limit) count by Id Message _time

The 240m and 5m needs to be taken from the lookup file as a variable.
bucket _time span=240m should be taken from reoccurrence_window_limit
maxspan=5m should be taken from wait_time

Any help will be appreciated...Thanks

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2019 05:41 AM

Try subsearches.

| lookup error_rules_latest.csv EventType OUTPUT alert_type reoccurrence_window threshold_count 
| transaction Id Message maxspan=[| lookup error_rules_latest.csv EventType OUTPUT wait_time | return wait_time]
| bucket _time span=[| lookup error_rules_latest.csv EventType OUTPUT reoccurrence_window_limit | return reoccurrence_window_limit ]
| stats list(Timestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventType) AS EventType first(wait_time) as WaitTimeLimit first(threshold_count) AS ReoccurenceThresholdCount first(reoccurrence_window_limit) count by Id Message _time
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

veerendra_modi
Loves-to-Learn
‎03-07-2019 09:41 PM

Hi Rich,

Thanks for your help i tried implementing the same
=[|| lookup error_rules_latest.csv EventType OUTPUT reoccurrence_window_limit | return reoccurrence_window_limit ]

1st the double pipe sign in front is giving error so one pipeline is working.
2nd the bucket _time sapn is working but for maxspan its still not working. The results are not the same with dynamic values.
Why this discrepancy can you help.

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 05:29 AM

Thanks for pointing out the unintentional double pipes. I've corrected them.
To find out why bucket _time span isn't working with a subsearch, try running the subsearch by itself and examine the results. It should produce a string that is a valid span setting. If it does not, adjust the subsearch until it does produce a valid value.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

veerendra_modi
Loves-to-Learn
‎03-11-2019 08:31 PM

I Have tried running it separately but no luck the returned value is say "240m" and while entering the hardcoded value we enter 240m without quotes. Is this the problem or something else.

Thanks a lot for your help 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2019 04:54 AM

Yes, quotation marks will be a problem. Modify the subsearch to remove them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...