Splunk Search

connect/concatenate two searches into one and visualize it as a single value

C4r7m4n
Path Finder

Hello

I have two searches:
Search A: BGP_NEIGHBOR_STATE_CHANGED source="udp:514" AND ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm" | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

Search B: BGP-5-ADJCHANGE source="udp:514" Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

I want to connect these two searches into one and represent it as a single value.

I've tried sth like this:

((BGP_NEIGHBOR_STATE_CHANGED ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") OR (BGP-5-ADJCHANGE Down | rex  field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor)) AND source="udp:514" | stats count as BGP_DOWN  | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

But I get error: Error in 'search' command: Unable to parse the search: unbalanced parentheses.

Is there a way to connect/concatenate two searches into one and visualize this as a single value?

Best Regards,
C4r7m4n

0 Karma
1 Solution

C4r7m4n
Path Finder

Hello @Ayn

Yes, You were right I didn't notice the search word.

I've changed this and it's worinking but I don't know why it's counting 2 time more 😞

This is my changed search:
BGP_NEIGHBOR_STATE_CHANGED source="udp:514" AND ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") | append [search BGP-5-ADJCHANGE source="udp:514" Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor] | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

With code: stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

it's counting to 6 instead 3. Do you have any idea why?

View solution in original post

0 Karma

C4r7m4n
Path Finder

Hello @Ayn

Yes, You were right I didn't notice the search word.

I've changed this and it's worinking but I don't know why it's counting 2 time more 😞

This is my changed search:
BGP_NEIGHBOR_STATE_CHANGED source="udp:514" AND ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") | append [search BGP-5-ADJCHANGE source="udp:514" Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor] | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

With code: stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe

it's counting to 6 instead 3. Do you have any idea why?

0 Karma

dart
Splunk Employee
Splunk Employee

Try:

source="udp:514" ((BGP_NEIGHBOR_STATE_CHANGED ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") OR (BGP-5-ADJCHANGE Down)) | rex  field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor | stats count as BGP_DOWN  | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
0 Karma

C4r7m4n
Path Finder

Hello @dart

Your code doesn't work for me. I have the same error as befor: Error in 'search' command: Unable to parse the search: unbalanced parentheses.

Secondly, i think it cannot work because in Search A there is not word neighbor so if you concatenate two first searches and the try to search regexp by neigbour, then when search A occure the regexp will not filtr this.

I don't know if I wrote this clearly...

0 Karma

Ayn
Legend
0 Karma

Drainy
Champion

At the start of a search within [ ] to need to use the word search. I suspect you have copied and pasted your original search into the brackets.

0 Karma

C4r7m4n
Path Finder

Hello @Ayn

I tried a couple of seconds ago what you have sent me and I've got error:

Search operation 'bgp' is unknown. You might not have permission to run this operation.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...