Dear Splunk community,
In Splunk, I am looking for logs that say "started with profile: [profile name]" and retrieve the profile name from found events. Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform.
To make things more clear I have the following search query (query one):
index="myIndex" "started with profile" BD_L* | table _raw, platform, RUNID | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform | rename count AS "Amount"
The events found from above query contains the following (raw) :
Discovery run, 2021101306351355 started with profile BD_L2_Windows
The above query will return a list of events containing the raw data above and will result in the following table. This is a table with the amount of Discovery runs per platform:
Using the following piece of code I can extract RUNID from the events. RUNID is what I need to use in a second search when looking for errors:
| rex "Discovery run, (?.+) started with profile"
Using RUNID I can look for errors (query two):
index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* | dedup _raw | stats count | rename count AS "Amount"
Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. So lets say we have the following simulation:
This should result in the following results:
Platform | Amount
Linux | 1
I need to find some way to return true or one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. I have not yet found anything similair to my question and hope anyone here can help me out. Thanks in advance.
You could do some fancy joins or - god forbid - maps but I'd just do one search, then append results from the other one (making sure that column names overlap where needed - especially extracting RUNID from source) and then do some stats by RUNID.
That's the general idea.