×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
AlekseiVasiliev
Explorer
Member since: ‎10-08-2018
‎01-30-2021
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 4
Member Since ‎10-08-2018
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Recursively join events on child to parent fie...

by in Splunk Search
‎04-28-2020 12:36 AM
‎04-28-2020 12:36 AM
@rmmiller thank you for your kind words ... View more

Re: Recursively join events on child to parent fie...

by in Splunk Search
‎04-23-2020 09:08 AM
‎04-23-2020 09:08 AM
A few thoughts to follow: 1. The maxsearches parameter can be set strictly by calculating the number of lines in the source data and passing the code generated on the basis of this value to the |map command via a subsearch 2. It is assumed that the iterations of the |map command are performed sequentially, but generally it is necessary to investigate the behavior for |map parallelization on a large amount of data. If it is not possible to control the order of iterations of the |map, you can think about launching them based on the schedule of some kind ... View more

Re: Recursively join events on child to parent fie...

by in Splunk Search
‎04-23-2020 08:45 AM
3 Karma
‎04-23-2020 08:45 AM
3 Karma
According to your data and the picture that you attached, it can be said that you are trying to restore the inheritance hierarchy from data on relationships of the form "parent->child". I can suggest an implementation based on the |map command and iterations caching with the .csv lookup |makeresults |fields - _time |eval child_id="null", parent_id="A1" |append [|makeresults |fields - _time |eval child_id="null", parent_id="B1"] |append [|makeresults |fields - _time |eval child_id="A1", parent_id="A2"] |append [|makeresults |fields - _time |eval child_id="B1", parent_id="B2"] |append [|makeresults |fields - _time |eval child_id="A2", parent_id="C1"] |append [|makeresults |fields - _time |eval child_id="B2", parent_id="C1"] |append [|makeresults |fields - _time |eval child_id="C1", parent_id="C2"] |append [|makeresults |fields - _time |eval child_id="C2", parent_id="D1"] |append [|makeresults |fields - _time |eval child_id="C2", parent_id="E1"] |rename child_id as parent parent_id as child |eval line=child."<-".parent |eventstats values(parent) as parents by child |eval depth=1 |outputlookup tree.csv |map maxsearches=100 search="|inputlookup tree.csv |eval con=mvindex(split(line, \"<-\"), -1) |join type=left con [|inputlookup tree.csv |rename child as con parents as parents_2 |fields con parents_2] |fillnull parents_2 value=\"null\" |makemv parents_2 |mvexpand parents_2 |eval line=line.\"<-\".parents_2 |eval depth=depth+1 |outputlookup tree.csv" |eventstats max(depth) as max_depth |where depth==max_depth |eval line=rtrim(line, "<-null")."<-null" |stats values(line) as lines by child ... View more

Re: mvlist functionality

by in Splunk Search
‎01-15-2019 05:50 AM
1 Karma
‎01-15-2019 05:50 AM
1 Karma
You should use quotes: mvlist="SessionEventNet PN" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-30-2021 11:19 PM
Karma from
View All