Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

using a $variable$ in the output of a mapped search

a238574
Path Finder
โ€Ž09-17-2019 05:49 AM

I am running a search that gets a list of accounts, multiple records that can have multiple accounts in each event. I need to find all accounts that are not valid. what I have so far produces results but I cant figure out how to get the $acctid$ in the output. Right now I just get 2 records in the stats page show a 0 for each one but no way to show the content of the $acctid$. I have manually checked and the number is correct I have 2 bad accounts.

Basic search is

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0"

The 1st half of the search produces

eventID                                acctid
15326ca3-d4ce-421f-aa07-457fcc7c5df1    12345678
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027    04341234568
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027    34491234568
9d807652-8b16-4a1a-a985-236c8409b73c    12345678
c5e8b181-4440-4af3-8687-805522ab67e8    04341234568
e539d095-8664-4c68-99ba-1ef1329ec78d    34491234568
ebf27592-2741-4093-b035-eaf3d1ecc4ee    04341234568

I know the 1st and 4th entry are bad accounts and the map command produces 2 results but just shows the zero from the count. How do I get the contents of either the acctid or eventId in the results

count
0
0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

a238574
Path Finder
โ€Ž09-17-2019 06:45 AM

Found the answer... eval was the key

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0  | eval eventID=$eventID$ | stats list(count) by eventID"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
โ€Ž09-17-2019 08:56 AM

The stats command only returns the fields requested - in this case just 'count'. Try ... | stats count by acctid | ....

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

a238574
Path Finder
โ€Ž09-17-2019 06:45 AM

Found the answer... eval was the key

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0  | eval eventID=$eventID$ | stats list(count) by eventID"

View solution in original post

0 Karma
Reply