Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Loop through splunk search for multiple values

anmohan0
Explorer
‎07-16-2024 10:18 AM

I want to get the below search executed and display the results in a table for all comma separated values that gets passed from dropdown.

index="xxx" source = "yyyyzzz" AND $DropdownValue$ AND Input| eventstats max(_time) as maxTimestamp by desc| head 1 | dedup _time | eval lastTriggered = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")| stats values(lastTriggered) as lastTriggeredTime| appendcols [search index="xxx" source = "yyyyzzz" sourcetype = "mule:rtf:per:logs" AND $DropdownValue$ AND Output| eventstats max(_time) as maxTimestamp by desc| head 1 | dedup_time | eval lastProcessed = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")| stats values(lastProcessed) as lastProcessedTime] | appendcols [search index="xxx" source = "yyyyzzz" sourcetype = "mule:rtf:per:logs" AND $DropdownValue$ AND Error| eventstats max(_time) as maxTimestamp by desc| head 1 | dedup_time | eval lastErrored = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")]|eval "COMPONENT ID"="$DropdownValue$"|eval "Last Triggered Time"=lastTriggeredTime |eval "Last Processed Time"=lastProcessedTime| eval "Last Errored Time"=lastErrored | table "COMPONENT ID", "Last Triggered Time", "Last Processed Time","Last Errored Time" | fillnull value="NOT IN LAST 12 HOURS" "COMPONENT ID","Last Triggered Time", "Last Processed Time","Last Errored Time"

 

For example if $dropdownValue$ is having ABC,DEV, then the entire above mentioned search should get executed twice and 2 rows od data should be displayed in the table. Can someone guide how this can be achieved?

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎07-16-2024 01:30 PM

This part suggests that the dropdown selections are values in the COMPONENT ID field:
"COMPONENT ID"="$DropdownValue$"

If that's the case, you could filter based on
"COMPONENT ID" IN ($DropdownValue$)
and join the subsearches on COMPONENT ID rather than appending columns.

Joins are not particularly efficient, so instead of that suggestion, I would look at pulling all the data from that index back in a single search, and conditionally evaluating the stats.

Paul

Paul van der Eerden,
Breaking software for over 20 years.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

anmohan0
Explorer
‎01-19-2025 10:00 PM

Thanks @P_vandereerden and it worked as the way I wanted.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-17-2024 10:30 PM

Like @P_vandereerden says, SPL is totally different from procedural languages.  You need to think differently.  One point is: explicit iteration should be used sparsely.  There are also lots of other elements in the illustrated code that make it "unSPL" and some unnecessary.

For a problem like this, it is better to follow my four golden rules ("four commandments") of asking answerable questions.

To ask an answerable data analytics question, follow these golden rules; nay, call them the four commandments:

  • Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.
  • Illustrate the desired output from illustrated data.
  • Explain the logic between illustrated data and desired output without SPL.
  • If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.

In your case, you also want to illustrate how desired output change when the token takes different values.  One more tip: Use Splunk's auto format feature to format SPL if there are more than a couple pipes.  Like this:

index="xxx" source = "yyyyzzz" AND $DropdownValue$ AND Input
| eventstats max(_time) as maxTimestamp by desc
|  head 1
| dedup _time
| eval lastTriggered = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")
| stats values(lastTriggered) as lastTriggeredTime
| appendcols
    [search index="xxx" source = "yyyyzzz" sourcetype = "mule:rtf:per:logs" AND $DropdownValue$ AND Output
    | eventstats max(_time) as maxTimestamp by desc
    | head 1
    | dedup _time
    | eval lastProcessed = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")
    | stats values(lastProcessed) as lastProcessedTime]
| appendcols
    [search index="xxx" source = "yyyyzzz" sourcetype = "mule:rtf:per:logs" AND $DropdownValue$ AND Error
    | eventstats max(_time) as maxTimestamp by desc
    | head 1
    | dedup_time
    | eval lastErrored = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")]
| eval "COMPONENT ID"="$DropdownValue$"
| eval "Last Triggered Time"=lastTriggeredTime
| eval "Last Processed Time"=lastProcessedTime
| eval "Last Errored Time"=lastErrored
| table "COMPONENT ID", "Last Triggered Time", "Last Processed Time","Last Errored Time"
| fillnull value="NOT IN LAST 12 HOURS" "COMPONENT ID","Last Triggered Time", "Last Processed Time","Last Errored Time"

After this formating, you can easily see why some commands are wasteful.

0 Karma
Reply
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎07-16-2024 01:30 PM

This part suggests that the dropdown selections are values in the COMPONENT ID field:
"COMPONENT ID"="$DropdownValue$"

If that's the case, you could filter based on
"COMPONENT ID" IN ($DropdownValue$)
and join the subsearches on COMPONENT ID rather than appending columns.

Joins are not particularly efficient, so instead of that suggestion, I would look at pulling all the data from that index back in a single search, and conditionally evaluating the stats.

Paul

Paul van der Eerden,
Breaking software for over 20 years.
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...