Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

help to use token filters with a append subsearch

jip31
Motivator
‎11-03-2020 05:44 AM

hello

 

i use the search below which works fine

| inputlookup lookup_patch
| lookup fo_all HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE 
| stats dc(host) as host by SITE DEPARTMENT RESPONSIBLE
| stats sum(host) as NbNonCompliantPatchesIndHost by SITE DEPARTMENT RESPONSIBLE
| append 
    [| inputlookup lookup_patch
    | lookup fo_all HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE
    | stats dc(host) as NbIndHost by SITE DEPARTMENT RESPONSIBLE ] 
| search SITE=* 
| search DEPARTMENT=* 
| search RESPONSIBLE_USER=* 
| stats values(*) as * by SITE DEPARTMENT RESPONSIBLE
| eval Perc=round((NbNonCompliantPatchesIndHost/NbIndHost)*100,2) 
| table Perc, NbIndHost, NbNonCompliantPatchesIndHost

 

 As you can see, I use token filters for SITE, DEPARTMENT and RESPONSIBLE fields

The problem I have is when I keep * in this token filters 

For example, if I choose * for SITE but I choose a name for RESPONSIBLE, I would be able calculate and to cumulate the Perc value and as a consequence the NbIndHost and the NbNonCompliantPatchesIndHost values for this RESPONSIBLE 

Is it possible to do this?

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

jip31
Motivator
‎11-03-2020 08:16 AM

sorry for this example I have modified the search

there is a condition in the first search :

| search PC=1 AND StateName="Non-Compl"

So not all the resulst are equal to 100%

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2020 08:37 AM

Will this work?

| inputlookup lookup_patch
| lookup fo_all HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE 
| eval noncomplhost=if(PC=1 AND StateName="Non-Compl",host,null)
| stats dc(host) as NbIndHost dc(noncomplhost) as NbNonCompliantPatchesIndHost by SITE DEPARTMENT RESPONSIBLE
| search SITE=* 
| search DEPARTMENT=* 
| search RESPONSIBLE_USER=* 
| eval Perc=round((NbNonCompliantPatchesIndHost/NbIndHost)*100,2) 
| table Perc, NbIndHost, NbNonCompliantPatchesIndHost
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2020 07:37 AM

What am I missing?

| inputlookup lookup_patch

Get contents of lookup_patch

| lookup fo_all HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE

 Get SITE DEPARTMENT and RESPONSIBLE for all host in lookup_patch

| stats dc(host) as host by SITE DEPARTMENT RESPONSIBLE

Count distinct host for all SITE DEPARTMENT RESPONSIBLE combinations and call that host i.e. host is now a number

| stats sum(host) as NbNonCompliantPatchesIndHost by SITE DEPARTMENT RESPONSIBLE

 Sum all distinct counts by SITE DEPARTMENT RESPONSIBLE. Since this is the same as previous stats, there will only be one host value per SITE DEPARTMENT RESPONSIBLE combination, therefore host = NbNonCompliantPatchesIndHost

Now append the same information except call it NbIndHost

NbNonCompliantPatchesIndHost = NbIndHost

So all percentages are 100%

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...