Solved: Refining the search query using dynamic values

_pravin · ‎11-08-2022

Hi Community,

I have a search query where I am trying to get values for the search from the results of another query.

index=_internal
[ `set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool = "*"
| search h = hp742srv OR dell970srv OR dell428srv OR hp548srv OR dell429srv OR dell477srv OR dell433srv
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

The search statement in line number 9 has a list of host names which I have entered manually using the OR operator. The below query can generate the list of results but I am not able to use the result in the above query.

index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022" 
|  table host 
|  dedup host

How can I use the results from the 2nd query dynamically in the first SPL query?

Thanks in advance.

Regards,

Pravin

ITWhisperer · ‎11-08-2022

index=_internal
[ `set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool = "*"
| search [search index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022" 
|  table host 
|  dedup host
| rename host as h
| format]
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

View solution in original post

ITWhisperer · ‎11-08-2022

index=_internal
[ `set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool = "*"
| search [search index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022" 
|  table host 
|  dedup host
| rename host as h
| format]
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

_pravin · ‎11-08-2022

Thanks @ITWhisperer

Refining the search query using dynamic values

fields

subsearch

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation