Splunk Search

Splunk: Return One or True from a search, use that result in another search

Bleepie
Communicator

Dear Splunk community,

In Splunk, I am looking for logs that say "started with profile: [profile name]" and retrieve the profile name from found events. Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform.

To make things more clear I have the following search query (query one):

 

 index="myIndex" "started with profile" BD_L* | table _raw, platform, RUNID | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform | rename count AS "Amount" 

 

The events found from above query contains the following (raw) :

 

 Discovery run, 2021101306351355 started with profile BD_L2_Windows 

 

The above query will return a list of events containing the raw data above and will result in the following table. This is a table with the amount of Discovery runs per platform:

Bleepie_0-1635156292395.png

Using the following piece of code I can extract RUNID from the events. RUNID is what I need to use in a second search when looking for errors:

 

 | rex "Discovery run, (?.+) started with profile" 

 

Using RUNID I can look for errors (query two):

 

 index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* | dedup _raw | stats count | rename count AS "Amount" 

 

Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. So lets say we have the following simulation:

  • - Two runs (one Windows and one Linux)
  • - Windows run has 0 errors (none found in query 2)
  • - Linux has 6 errors (found in query 2)

This should result in the following results:

 

Platform | Amount 
Linux    |      1 

 

I need to find some way to return true or one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. I have not yet found anything similair to my question and hope anyone here can help me out. Thanks in advance.

 

 

 

 

 

 

 

 

 

 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You could do some fancy joins or - god forbid - maps but I'd just do one search, then append results from the other one (making sure that column names overlap where needed - especially extracting RUNID from source) and then do some stats by RUNID.

That's the general idea.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...