Splunk Search
Highlighted

SET UNION problem with time reporting

Path Finder

Dear All,

I'm doing a search with a set UNION, like this:

| SET UNION [SEARCH FOO | FIELDS fields IP, count] [ SEARCH BAR | FIELDS fields IP, count]

I can correctly see the list of IP, count but I cannot see nothing on timeline.

I'd like to have a timechart that indicate on X-axis the timeline and on Y-axis the number of events of Search FOO + number of events of Search BAR.

How can I do to obtain this?

Thank you

Tags (1)
0 Karma
Highlighted

Re: SET UNION problem with time reporting

Motivator

Please don't double post with different accounts.

0 Karma
Highlighted

Re: SET UNION problem with time reporting

SplunkTrust
SplunkTrust

Agreed. I suggest deleting the other question since this account is slightly older.

0 Karma
Highlighted

Re: SET UNION problem with time reporting

SplunkTrust
SplunkTrust

You dont need the set command to do this, but I can see why you tried it first.

Just search for this:

( foo OR bar ) 

and then use eval and eval's 'searchmatch' function to paint a field on each row, denoting whether that row was matched by the 'foo' side or the 'bar side.

Assuming foo and bar are mutually exclusive then it's pretty simple. The following will show a timechart with two counts per time bucket . One count for the 'foo' events, one for the 'count' events.

( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | timechart dc(remote_host) by type

and if you just want an overall count, this will do it too:

( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | stats dc(remote_host) by type

If foo and bar are not mutually exclusive you might have to get a little fancier.

And if there is already a field in the data that always has one value for the 'foo' events, and another value for the 'bar' events, just put that fieldname in your 'by' clause and dont bother with the eval at all.

Highlighted

Re: SET UNION problem with time reporting

Splunk Employee
Splunk Employee

Done and done and done.

0 Karma
Highlighted

Re: SET UNION problem with time reporting

New Member

Thank you nick,

the problem is that in "foo" and "bar" we are using a "rename" function.

This is because foo search, without rename function, returns (EG) the following fields:

A, B

The bar search (without rename) returns:

A, C

We have to count by B in the foo search and by C in bar search, and then filter where count is > of 10.

Something like this:

"(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10"

but whe I use rename on a search that is the put in OR with another, I received a "Error in 'UnifiedSearch': Unable to parse the 'unbalanced parentheses' search." ERROR.

Any idea about how can we do a "(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10" search?

Thank you

0 Karma