I need to identify hosts with errors, but only in block mode
MY SPL
---------
index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block]
| dedup host
| table event_type, host, ip
------------------
each search works separately, but combined it seating on "parsing job" with no result for long time.
Thank you
As both searches invoke the same index, there is probably not much point (unless you have a very very specific use case) to use subsearch here.
Just search for
index=firewall event_type=error sourcetype=metadata enforcement_mode=block
Because that's effectively what your search would do.
Having said that - that is probably _not_ what you need.
I'd hazard a guess that you're probably looking for something like
index=firewall
| stats values(event_type) as event_types values(sourcetype) as sourcetypes values(enforcement_mode) as enforcement_modes
| where enforcement_mode="block"
Something in my solution is not right.
It works for only one condition (one or another) but combined produced zero events
---------
Events reported
-----------
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block
|table event_type, hostname, ip
-------------
Events reported
-----------
index=firewall (sourcetype=collector OR sourcetype=metadata) event_type="error"
|table event_type, hostname, ip
------------
No events reported
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip
Have you tried my suggestion?
Thank you very much for your help.
The code that works 🙂
-------
index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| dedup host1
| table host1
| format]
| dedup host
| table event_type, host, ip
-----------
Be aware that subsearches have limitations and it can be nasty if you hit the limit because the search will be finalized silently. You won't know something's not right.
Also the
| dedup host
| table host
part is quite suboptimal.
And in general be wary when using the dedup command (you have it in outer search as well) - it might behave differently than you'd expect.
Since it's the same index with two different source types, could be SPL build differentially?
-------------------
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip
Thank you
Something in my solution is not right.
It works for only one condition (one or another) but combined produced zero events
---------
Events
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block
|table event_type, hostname, ip
-------------
Events
index=firewall (sourcetype=collector OR sourcetype=metadata) event_type="error"
|table event_type, hostname, ip
------------
No events
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip
--------------
index=firewall (sourcetype=collector OR sourcetype=metadata) (enforcement_mode=block OR event_type="error")
|table event_type, hostname, ip
You haven't told us what you want the search to do so I'm only guessing. Probably your hosts log events which have either enforcement_mode=block field or event_type=error field but no single event has both of these fields set. So your "combined" search will not find them because both conditions aren't fulfilled in a single event.
That's why you need to correlate multple events by using either transaction or stats (the stats approach is preferred due to transaction command's limitations).
You could do that, if it gives you what you need.
Thank you.
Because in different data source I see host name under different fields
i.e. in metadata "host1" and in collector just "host", I added rename
index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| rename host1 as host
|dedup host
| table host
| format]
| table event_type, host, ip
--------
Now I am back to square 1 - it runs but no events produced and never finish.
host is a field sometimes populated by Splunk to identify where logs were ingested from - could this be your issue?
Try something like this
index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| dedup host
| format]
| table event_type, host, ip
Thank you.
Unfortunately proposed change produced 0 events
Sorry, I missed a line, try this
index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| dedup host
| table host
| format]
| table event_type, host, ip