Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way I could combine the results from the above query with the first query to refine the search command?

_pravin
Communicator
‎10-28-2022 03:40 AM

Hi Community,

 

I have the below search query

 

 

index=_internal 
    [ `set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| search h = hp742srv OR dell970srv OR dell428srv OR hp548srv OR dell429srv OR dell477srv OR dell433srv 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30

 

 

I am trying to refine the search query where I had to manually enter the host names using the OR condition. I am trying to figure out if there is a way I could use an alternative way to get the same result from the above search.

The below search gives all the names used in the search command above.

 

 

index=m_logs "mx.env"="hp742srv.scz.m.com:24000" 
| table host 
| dedup host

 

 

 Is there a way I could combine the results from the above query with the first query to refine the search command?

Thanks in advance.

 

Regards,

Pravin

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-28-2022 04:43 AM

 

index=_internal 
    [ search index=m_logs "mx.env"="hp742srv.scz.m.com:24000" 
| table host 
| dedup host
| format ]
    [ `set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30

 

Reply

_pravin
Communicator
‎10-28-2022 05:25 AM

Hi @ITWhisperer ,

 

Thanks for the response.

The main objective was to remove the below line in the query

| search h = hp742srv OR dell970srv OR dell428srv OR hp548srv OR dell429srv OR dell477srv OR dell433srv

 I tried a query similar to your query earlier but couldn't get the desired results as the original query.

Is there some other query technique I can use?

 

Regards,

Pravin

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-28-2022 05:29 AM

 

index=_internal 
    h IN (hp742srv, dell970srv, dell428srv, hp548srv, dell429srv, dell477srv, dell433srv)
    [ `set_local_host`] source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| stats sum(b) as b by _time, pool, s, st, h, idx 
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30

 

0 Karma
Reply

_pravin
Communicator
‎11-08-2022 01:33 AM

Hi @ITWhisperer ,

 

Thanks for the SPL but this actually changes the entire query results.

Doesn't work as intended.

 

Regards,

Pravin

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...