Splunk Search

changing `host` and persisting the result

Explorer

I am trying to make this query work:
index="main" | eval host=asset_id | collect index="scanned_app"
where asset_id is a field, not a static value.

Two observations regarding the query:
- without | collect ..., the search shows data as i expect it - with the meta-field host changed
- with | collect ..., the resulting index carries host unchanged from the main index

Q: how do i change the host, so that it can be persisted in another index ?
index="main" | eval *magic_here* | collect index="scanned_app"

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

You can try and wrap you search in the map command that dynamically let's you generate another search.

This generates an event in the summary index with host=hello set from the outer search.

|makeresults count=1
| eval assetid="hello"
| map search="
search
index=\"main\"
| collect index=scanned
app host=$asset_id$
"

j

0 Karma

Splunk Employee
Splunk Employee

This will work. Remember that the map command, by default, is limited to only 10 sub-search iterations. Use the option maxsearches=10000 or something more appropriate for your data set.

Converting the above to your actual search, see below. You probably don't need "time=$origtime$," in the eval.

index="main"
| eval origtime=time, origraw=raw
| map maxsearches=10000 search="|makeresults=1
|eval time=$origtime$, raw=$origraw$
| collect index="scannedapp" sourcetype=X host=$assetid$"

0 Karma

Explorer

@jbjerkesplunk and @pwildsplunk thank you for comments. could you perhaps help me understand why the SPL index="main" | eval host=asset_id | collect index="scanned_app" works without |collect... and does not work with |collect... ? What is happening during |collect...?

0 Karma

Influencer

@mushkevych -Since host is a default field , and collect command will look for default fields for source sourcetype host unless you override it in collect command

0 Karma

Explorer

@Vijeta thank you for reply. Perhaps you can advise how to override default field host in collect command?

0 Karma

Influencer

Since you want host value to be assigned to a variable assetid , you will have to use map command as mentioned by @pwildsplunk

0 Karma

Splunk Employee
Splunk Employee

Try this

index="main" | eval raw=raw.",host=".assetid | collect index="scannedapp"

0 Karma

Splunk Employee
Splunk Employee

This may not do what you want. The events in the summary index will contain a host field that is multi-valued, containing the indexed host field as well as the auto-extracted host value. If the purpose of this is to create a dashboard or graph, you may be able to work with the data by removing the first value with something like this.

| eval host=mvindex(host,1)

0 Karma

SplunkTrust
SplunkTrust

can you elaborate? is asset_id a field or a static value?
also, what is it that you are trying to accomplish? i sense lookup will serve you better here

0 Karma

Explorer

asset_id is a field.
my goal is to transform the data set by changing host value and persist it in another index.
P.S. Updated the question to reflect your comment

0 Karma