Solved: use source within map command

chrkohm · ‎08-06-2020

Hi,

I have several log files that I´m "batch indexing".

for example:

file01.log
file02.log
file03.log
file04.log

Now I´m searching if an field equals an value like State=4

And now I just want to do another search that searches only in this source-files where the State was 4.

I tried this:

index=test sourcetype=XY State=4 | stats count by source |map search="search index=test sourcetype=XY source=$source$ |stats values(cpu) by _time "

but I´m getting no results.

If I run the first search without the map section, I´m getting the source-files as an List

chrkohm · ‎08-07-2020

I figured it out:

index=test sourcetype=XY cpu="*"
[search index=test sourcetype=XY State=4 |table source]
|table source State cpu
|join source [search index=test sourcetype=XY State=4 |table source State ]
|table State cpu

View solution in original post

to4kawa · ‎08-06-2020

| tstats max(PREFIX("cpu=")) as cpu where index=test sourcetype=XY (source=file01.log OR source=file02.log OR source=file03.log OR source=file04.log) by PREFIX("State=") _time
| where 'State='=4

chrkohm · ‎08-06-2020

ok, but I can´t name every file.log because there are thousands...

to4kawa · ‎08-06-2020

| tstats max(PREFIX("cpu=")) as cpu where index=test sourcetype=XY [|tstats count where index=test sourcetype=XY by source| fields source | format ] by PREFIX("State=") _time
| where 'State='=4

The conditions change too much.

chrkohm · ‎08-07-2020

I figured it out:

index=test sourcetype=XY cpu="*"
[search index=test sourcetype=XY State=4 |table source]
|table source State cpu
|join source [search index=test sourcetype=XY State=4 |table source State ]
|table State cpu

use source within map command

Other

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]