Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using a $variable$ in the output of a mapped search

a238574
Path Finder
‎09-17-2019 05:49 AM

I am running a search that gets a list of accounts, multiple records that can have multiple accounts in each event. I need to find all accounts that are not valid. what I have so far produces results but I cant figure out how to get the $acctid$ in the output. Right now I just get 2 records in the stats page show a 0 for each one but no way to show the content of the $acctid$. I have manually checked and the number is correct I have 2 bad accounts.

Basic search is

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0"

The 1st half of the search produces

eventID                                acctid
15326ca3-d4ce-421f-aa07-457fcc7c5df1    12345678
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027    04341234568
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027    34491234568
9d807652-8b16-4a1a-a985-236c8409b73c    12345678
c5e8b181-4440-4af3-8687-805522ab67e8    04341234568
e539d095-8664-4c68-99ba-1ef1329ec78d    34491234568
ebf27592-2741-4093-b035-eaf3d1ecc4ee    04341234568

I know the 1st and 4th entry are bad accounts and the map command produces 2 results but just shows the zero from the count. How do I get the contents of either the acctid or eventId in the results

count
0
0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

a238574
Path Finder
‎09-17-2019 06:45 AM

Found the answer... eval was the key

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0  | eval eventID=$eventID$ | stats list(count) by eventID"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-17-2019 08:56 AM

The stats command only returns the fields requested - in this case just 'count'. Try ... | stats count by acctid | ....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

a238574
Path Finder
‎09-17-2019 06:45 AM

Found the answer... eval was the key

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0  | eval eventID=$eventID$ | stats list(count) by eventID"
0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top