Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using token in query where token is evaluated in the query itself

denzelchung
Path Finder
‎06-02-2019 07:22 PM

I have the following query to be performed, where "STRING" is replaced across different queries. Is there a way to replace the STRING with a token and make it such that only 1 query is performed?

host="$host$" "STRING" | sort -_time | head 1 | eval time = _time
| eval sender = "STRING" 
| table sender time
...
host="$host$" "STRING2" | sort -_time | head 1 | eval time = _time
| eval sender = "STRING2" 
| table sender time
...
host="$host$" "STRING3" | sort -_time | head 1 | eval time = _time
| eval sender = "STRING3" 
| table sender time
...

Simplify to be something like this where $sender$ is set to a dynamic value, but the following doesn't work.

<query id="masterQuery">
    host="$host$" "$sender$" | sort -_time | head 1 | eval time = _time
    | table sender time
</query>
...
<query base="masterQuery"> | eval sender = "xx" </query>
<query base="masterQuery"> | eval sender = "yy" </query>
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-03-2019 11:36 PM

Hi @denzelchung,

If you want your search to run only once and do further processing you can do with basesearch, where you add dynamic search content in child search rather than in base-search, hence your base search will be executed only once.

<query id="masterQuery">
     host="$host$" | sort -_time | head 1 | eval time = _time
     | table sender time *
 </query>
 ...
 <query base="masterQuery"> | search "$sender$"| eval sender = "xx" </query>
 <query base="masterQuery"> | search "$sender$"| eval sender = "yy" </query>

But, as we are adding search command later most of the time searching all three queries requires less time than this base search as this base-search does not have more search criteria and will return lots of result to process.

So choose your approach wisely. Hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-03-2019 11:36 PM

Hi @denzelchung,

If you want your search to run only once and do further processing you can do with basesearch, where you add dynamic search content in child search rather than in base-search, hence your base search will be executed only once.

<query id="masterQuery">
     host="$host$" | sort -_time | head 1 | eval time = _time
     | table sender time *
 </query>
 ...
 <query base="masterQuery"> | search "$sender$"| eval sender = "xx" </query>
 <query base="masterQuery"> | search "$sender$"| eval sender = "yy" </query>

But, as we are adding search command later most of the time searching all three queries requires less time than this base search as this base-search does not have more search criteria and will return lots of result to process.

So choose your approach wisely. Hope this helps!!!

Reply
Solved! Jump to solution

denzelchung
Path Finder
‎06-04-2019 01:28 AM

Thank you! This is exactly that I'm looking for! I couldn't figure out how to do it.

Reply
Solved! Jump to solution

niketn
Legend
‎06-03-2019 04:43 AM

@denzelchung it would be better if you explain what is the data you have and what is the output required. Seems like you are complicating the use case.

What is the reason to perform several queries, do you want to have separate visualization for each result? Have you tried Trellis Layout in this case?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

denzelchung
Path Finder
‎06-03-2019 05:56 PM

Hi @niketnilay, I am trying to evaluate sender to be a fixed string. I have over 10 of these strings and I want 10 different individual visualization.

I don't think Trellis Layout fits my case as they cannot be split by sourcetype, host, etc.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...