Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SET UNION problem with time reporting

pinzer
Path Finder
‎10-01-2010 01:19 PM

Dear All,

I'm doing a search with a set UNION, like this:

| SET UNION [SEARCH FOO | FIELDS fields IP, count] [ SEARCH BAR | FIELDS fields IP, count]

I can correctly see the list of IP, count but I cannot see nothing on timeline.

I'd like to have a timechart that indicate on X-axis the timeline and on Y-axis the number of events of Search FOO + number of events of Search BAR.

How can I do to obtain this?

Thank you

Tags (1)
0 Karma
Reply

fedevietti
New Member
‎10-04-2010 02:54 PM

Thank you nick,

the problem is that in "foo" and "bar" we are using a "rename" function.

This is because foo search, without rename function, returns (EG) the following fields:

A, B

The bar search (without rename) returns:

A, C

We have to count by B in the foo search and by C in bar search, and then filter where count is > of 10.

Something like this:

"(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10"

but whe I use rename on a search that is the put in OR with another, I received a "Error in 'UnifiedSearch': Unable to parse the 'unbalanced parentheses' search." ERROR.

Any idea about how can we do a "(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10" search?

Thank you

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎10-01-2010 11:43 PM

Done and done and done.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎10-01-2010 05:50 PM

You dont need the set command to do this, but I can see why you tried it first.

Just search for this: 

( foo OR bar )

and then use eval and eval's 'searchmatch' function to paint a field on each row, denoting whether that row was matched by the 'foo' side or the 'bar side.

Assuming foo and bar are mutually exclusive then it's pretty simple. The following will show a timechart with two counts per time bucket . One count for the 'foo' events, one for the 'count' events.

( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | timechart dc(remote_host) by type

and if you just want an overall count, this will do it too: 

( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | stats dc(remote_host) by type

If foo and bar are not mutually exclusive you might have to get a little fancier.

And if there is already a field in the data that always has one value for the 'foo' events, and another value for the 'bar' events, just put that fieldname in your 'by' clause and dont bother with the eval at all.

Reply

sideview
SplunkTrust
SplunkTrust
‎10-01-2010 05:49 PM

Agreed. I suggest deleting the other question since this account is slightly older.

0 Karma
Reply

ftk
Motivator
‎10-01-2010 01:42 PM

Please don't double post with different accounts.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...