Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search, use the same results for two different sub searches, then merge the results and chart them

rpecka
Explorer
‎04-27-2022 12:41 PM

I would like to narrow down my results and rename a few fields using an initial search, let's call these results A.

Then I want to take A and search on `event_type=event1` and massage the results to get B

Then take A and search on `event_type=event2` and massage the results to get C

Then I want to combine the results B and C and use chart to dedup and display the combined result.

With my current query, the column for stage1 in my table is all null, but if I do the search with the contents of the append at the root and remove the second search, I get populated results

My current query is the following:

 

index=... ... | rename some_field as taskID

| append [search "event.event_type"=event1 | eval stageDuration='event.payload.total_duration'-'event.payload.provisioning_duration' | eval stageID="stage1"]

| search "event.event_type"=event2 | rename event.payload.total_duration as stageDuration event.payload.stageID as stageID

| chart sum(stageDuration) over taskID  by stageID | table taskID, stage1, * | where isnull(stage4) | fillnull value=0

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 10:23 PM

Depending on how complex your massaging is, you might want to consider combining the search and then use conditional evaluations

index-... (event.eventtype="event1" OR event.eventtype="event2")

| eval stageId=if('event.event_type'="event1","stage1","stage2")

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 10:23 PM

Depending on how complex your massaging is, you might want to consider combining the search and then use conditional evaluations

index-... (event.eventtype="event1" OR event.eventtype="event2")

| eval stageId=if('event.event_type'="event1","stage1","stage2")

 

0 Karma
Reply
Solved! Jump to solution

rpecka
Explorer
‎05-03-2022 11:18 AM

You're right. What I’m trying to do is not as complicated as I thought it was. I only need to duplicate the case statement once to get what I need. Thank you!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 09:57 PM

You're appending results with event.event_type=event1 only to filter them out in the next step by searching fpr event.eve t_type=event2.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...