Splunk Search

use source within map command

chrkohm
Path Finder

Hi,

I have several log files that I´m "batch indexing".

for example:

 

file01.log
file02.log
file03.log
file04.log

 

Now I´m searching if an field equals an value like State=4

And now I just want to do another search that searches only in this source-files where the State was 4.

I tried this:

 

index=test sourcetype=XY State=4 | stats count by source |map search="search index=test sourcetype=XY source=$source$ |stats values(cpu) by _time "

 

but I´m getting no results.

If I run the first search without the map section, I´m getting the source-files as an List

Labels (1)
Tags (2)
0 Karma
1 Solution

chrkohm
Path Finder

I figured it out:

 

 

index=test sourcetype=XY cpu="*"
[search index=test sourcetype=XY State=4 |table source]
|table source State cpu
|join source [search index=test sourcetype=XY State=4 |table source State ]
|table State cpu

 

View solution in original post

0 Karma

to4kawa
Ultra Champion

| tstats max(PREFIX("cpu=")) as cpu where index=test sourcetype=XY (source=file01.log OR source=file02.log OR source=file03.log OR source=file04.log) by PREFIX("State=") _time
| where 'State='=4

0 Karma

chrkohm
Path Finder

ok, but I can´t name every file.log because there are thousands... 

0 Karma

to4kawa
Ultra Champion

| tstats max(PREFIX("cpu=")) as cpu where index=test sourcetype=XY [|tstats count where index=test sourcetype=XY by source| fields source | format ] by PREFIX("State=") _time
| where 'State='=4

 The conditions change too much.

chrkohm
Path Finder

I figured it out:

 

 

index=test sourcetype=XY cpu="*"
[search index=test sourcetype=XY State=4 |table source]
|table source State cpu
|join source [search index=test sourcetype=XY State=4 |table source State ]
|table State cpu

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...