Splunk Search

Passing results to next command one at a time and using event results in parameters

Communicator

Trying to get a search working where instead of the whole result set passing to the next command as one, they would pass over one at a time as a sort of a loop fashion. Then also use that value as a parameter value in a next command.

Here is a simple example.

Let's say I have this search:

"blah"
| top host
| fields + host
| throttle name=mytest period=300
| sendemail to=somebody sendresults=true

Let's say this returns two hostnames which pass through the AlertThrottle app throttle command, that then sets the suppression state and fires an email. The email contains the two hostnames from the result set.

I'd like to have each hostname pass through to the throttle command individually and also use the hostname to populate the "name=" value in the throttle portion. So that after the single search it is equivalent to:

hostname1 -> | throttle name=$host period 300 | sendemail to=somebody sendresults=true
hostname2 -> | throttle name=$host period 300 | sendemail to=somebody sendresults=true

So each result (two hostnames) generates a separate email and also using that hostname as a parameter value.

Are both of those two conditions even possible?

Thanks,

Scott

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

You could in theory use the map search command.

View solution in original post

Splunk Employee
Splunk Employee

You could in theory use the map search command.

View solution in original post

Communicator

Thanks for the answer, looks like this should allow the variable usage - but couldn't test successfully and then found your comments in a different ticket about map/<4.2/distributed_mode not being supported, so guessing that is why. I'll give this a try once 4.2 is released. Thanks!

0 Karma