Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About hasegawaarte
hasegawaarte
Explorer
Member since:
10-08-2020
01-06-2025
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 10-08-2020 |
Activity Feed
- Posted Why Run a Script is not executed in ITSI after Splunk core version upgrade? on Splunk ITSI. 09-11-2023 09:31 PM
- Karma Re: What is the meaning of table immediately before the lookup command? for isoutamo. 06-15-2023 01:32 AM
- Posted Re: What is the meaning of table immediately before the lookup command? on Splunk Search. 06-14-2023 01:26 AM
- Posted Re: What is the meaning of table immediately before the lookup command? on Splunk Search. 06-13-2023 11:22 PM
- Posted What is the meaning of table immediately before the lookup command? on Splunk Search. 06-13-2023 10:00 PM
- Karma Re: If I want to use a field from the main search as a search criteria for a sub-search, what code should I write? for PickleRick. 03-26-2022 05:07 AM
- Posted If I want to use a field from the main search as a search criteria for a sub-search, what code should I write? on Splunk Search. 03-26-2022 02:42 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-11-2023
09:31 PM
Hi,
In ITSI > Notable Event Aggregation Policies > Action Rules, "Run a script" can no longer be executed.
The work that triggered the event to occur - Splunk Core Version Up (8.2.7 > 9.0.5.1)
Environment before the work - Splunk Core 8.2.7 - ITSI 4.11.6 - Configure Run a Script [File name] "patlite.sh RED" > Running enabled Post-work environment - Splunk Core 9.0.5.1 - ITSI 4.11.6 - Configure Run a Script [File name] "patlite.sh RED" > Not working
Script Deployment Location /opt/splunk/etc/apps/SA-ITOA/bin/scripts/patlite.sh
The ITSI version has not been changed, only the Splunk Core version change, but is there some configuration change that needs to be made?
... View more
- Tags:
- splunk search
Labels
- Labels:
-
troubleshooting
-
upgrade
-
using ITSI
06-14-2023
01:26 AM
Hi I tried index=_audit and got the same error. ========== index=_audit | eval title = "AAA" | lookup sample_data.csv title OUTPUT code ========== (Running with index=_audit only will show the normal audit log) ========== The following messages were returned by the search subsystem: info : Assuming implicit lookup table with filename 'sample_data.csv'. error : [indexer01,indexer02,indexer03] Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'sample_data.csv, title, OUTPUT, code'. See search.log for more details.. 06-14-2023 16:53:57.896 INFO dispatchRunner [31365 RunDispatch] - search context: user="admin", app="search", bs-pathname="/opt/splunk/etc"
06-14-2023 16:53:57.896 INFO SearchParser [31365 RunDispatch] - PARSING: search index=_audit\n\n| eval title = "AAA"\n| lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.896 INFO dispatchRunner [31365 RunDispatch] - Search running in non-clustered mode
06-14-2023 16:53:57.896 INFO dispatchRunner [31365 RunDispatch] - SearchHeadInitSearchMs=0
06-14-2023 16:53:57.896 INFO SearchParser [31365 RunDispatch] - PARSING: search index=_audit\n\n| eval title = "AAA"\n| lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.896 INFO SearchParser [31365 RunDispatch] - PARSING: search index=_audit\n\n| eval title = "AAA"\n| lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.896 INFO dispatchRunner [31365 RunDispatch] - Executing the Search orchestrator and iterator model (dfs=0).
06-14-2023 16:53:57.896 INFO SearchOrchestrator [31365 RunDispatch] - SearchOrchestrator getting constructed
06-14-2023 16:53:57.896 INFO SearchOrchestrator [31365 RunDispatch] - Initialized the SRI
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Initializing feature flags from config. feature_seed=3077982966
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Setting feature_flag=parallelreduce:enablePreview:true
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Setting feature_flag=search:search_telemetry_file_include_parallel_reduce:false
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Setting feature_flag=search:search_retry:false
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Setting feature_flag=parallelreduce:autoAppliedPercentage:false
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Setting feature_flag=stats:allow_stats_v2:true
06-14-2023 16:53:57.897 INFO SearchFeatureFlags [31365 RunDispatch] - Setting feature_flag=search_optimization::set_required_fields:stats:false
06-14-2023 16:53:57.897 INFO SearchOrchestrator [31365 RunDispatch] - Search feature_flags={"v":1,"enabledFeatures":["parallelreduce:enablePreview","stats:allow_stats_v2"],"disabledFeatures":["search:search_telemetry_file_include_parallel_reduce","search:search_retry","parallelreduce:autoAppliedPercentage","search_optimization::set_required_fields:stats"]}
06-14-2023 16:53:57.897 INFO ISplunkDispatch [31365 RunDispatch] - Not running in splunkd. Bundle replication not triggered.
06-14-2023 16:53:57.897 INFO SearchOrchestrator [31368 searchOrchestrator] - Initialzing the run time settings for the orchestrator.
06-14-2023 16:53:57.897 INFO UserManager [31368 searchOrchestrator] - Setting user context: admin
06-14-2023 16:53:57.897 INFO UserManager [31368 searchOrchestrator] - Done setting user context: NULL -> admin
06-14-2023 16:53:57.897 INFO SearchOrchestrator [31368 searchOrchestrator] - Creating the search DAG.
06-14-2023 16:53:57.897 INFO SearchParser [31368 searchOrchestrator] - PARSING: search index=_audit\n\n| eval title = "AAA"\n| lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.897 INFO DispatchStorageManagerInfo [31368 searchOrchestrator] - Successfully created new dispatch directory for search job. sid=6e03aa52f7102493_tmp dispatch_dir=/opt/splunk/var/run/splunk/dispatch/6e03aa52f7102493_tmp
06-14-2023 16:53:57.913 INFO SearchProcessor [31368 searchOrchestrator] - Building search filter
06-14-2023 16:53:57.926 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_access_log_fields'.
06-14-2023 16:53:57.926 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_gateway_log_fields'.
06-14-2023 16:53:57.926 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_scheduler_log_fields'.
06-14-2023 16:53:57.926 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='pool_name_field_extraction'.
06-14-2023 16:53:57.926 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_worker_log_fields'.
06-14-2023 16:53:57.930 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='pool_name_field_extraction'.
06-14-2023 16:53:57.932 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_logger_fields'.
06-14-2023 16:53:57.934 WARN CsvDataProvider [31368 searchOrchestrator] - Unable to find filename property for lookup=sample_data.csv will attempt to use implicit filename.
06-14-2023 16:53:57.934 INFO CsvDataProvider [31368 searchOrchestrator] - Assuming implicit lookup table with filename 'sample_data.csv'.
06-14-2023 16:53:57.934 INFO CsvDataProvider [31368 searchOrchestrator] - Reading schema for lookup table='sample_data.csv', file size=225, modtime=1686718713
06-14-2023 16:53:57.934 INFO DispatchThread [31368 searchOrchestrator] - BatchMode: allowBatchMode: 0, conf(1): 1, timeline/Status buckets(0):0, realtime(0):0, report pipe empty(0):1, reqTimeOrder(0):0, summarize(0):0, statefulStreaming(0):0
06-14-2023 16:53:57.934 INFO DispatchThread [31368 searchOrchestrator] - Setup timeliner partialCommits=1
06-14-2023 16:53:57.934 INFO DispatchThread [31368 searchOrchestrator] - required fields list to add to remote search = _bkt,_cd,_si,host,index,linecount,source,sourcetype,splunk_server
06-14-2023 16:53:57.934 INFO SearchParser [31368 searchOrchestrator] - PARSING: fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
06-14-2023 16:53:57.934 INFO DispatchCommandProcessor [31368 searchOrchestrator] - summaryHash=985a2e1d474a3352 summaryId=113EFE7D-5214-4F12-9825-0BC662647973_search_admin_985a2e1d474a3352 remoteSearch=litsearch index=_audit | eval title = "AAA" | lookup sample_data.csv title OUTPUT code | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
06-14-2023 16:53:57.934 INFO DispatchCommandProcessor [31368 searchOrchestrator] - summaryHash=NS6915b620af6b059b summaryId=113EFE7D-5214-4F12-9825-0BC662647973_search_admin_NS6915b620af6b059b remoteSearch=litsearch index=_audit | eval title = "AAA" | lookup sample_data.csv title OUTPUT code | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
06-14-2023 16:53:57.934 INFO DispatchThread [31368 searchOrchestrator] - Getting summary ID for summaryHash=NS6915b620af6b059b
06-14-2023 16:53:57.937 INFO SearchParser [31368 searchOrchestrator] - PARSING: search index=_audit\n\n| eval title = "AAA"\n| lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.937 INFO UnifiedSearch [31368 searchOrchestrator] - Processed search targeting arguments
06-14-2023 16:53:57.937 WARN CsvDataProvider [31368 searchOrchestrator] - Unable to find filename property for lookup=sample_data.csv will attempt to use implicit filename.
06-14-2023 16:53:57.937 INFO CsvDataProvider [31368 searchOrchestrator] - Assuming implicit lookup table with filename 'sample_data.csv'.
06-14-2023 16:53:57.937 INFO CsvDataProvider [31368 searchOrchestrator] - Reading schema for lookup table='sample_data.csv', file size=225, modtime=1686718713
06-14-2023 16:53:57.937 INFO AstOptimizer [31368 searchOrchestrator] - SrchOptMetrics optimize_toJson=0.000736677
06-14-2023 16:53:57.937 INFO AstVisitorFactory [31368 searchOrchestrator] - Not building visitor : replace_datamodel_stats_cmds_with_tstats
06-14-2023 16:53:57.937 INFO ReplaceTableWithFieldsVisitor [31368 searchOrchestrator] - search_optimization::replace_table_with_fields disabled due to VERBOSE Mode search
06-14-2023 16:53:57.937 INFO AstVisitorFactory [31368 searchOrchestrator] - Not building visitor : replace_table_with_fields
06-14-2023 16:53:57.937 INFO SearchParser [31368 searchOrchestrator] - PARSING: | lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.937 INFO SearchParser [31368 searchOrchestrator] - PARSING: | eval title="AAA"
06-14-2023 16:53:57.938 INFO SearchParser [31368 searchOrchestrator] - PARSING: | search index=_audit
06-14-2023 16:53:57.938 INFO ReplaceTableWithFieldsVisitor [31368 searchOrchestrator] - search_optimization::replace_table_with_fields disabled due to VERBOSE Mode search
06-14-2023 16:53:57.938 INFO AstVisitorFactory [31368 searchOrchestrator] - Not building visitor : replace_table_with_fields
06-14-2023 16:53:57.938 INFO ProjElim [31368 searchOrchestrator] - Black listed processors=[addinfo]
06-14-2023 16:53:57.938 INFO AstOptimizer [31368 searchOrchestrator] - Search optimizations have been disabled in limits.conf. Set enabled=true in [search_optimization::replace_stats_cmds_with_tstats]
06-14-2023 16:53:57.938 INFO AstVisitorFactory [31368 searchOrchestrator] - Not building visitor : replace_stats_cmds_with_tstats
06-14-2023 16:53:57.938 INFO AstOptimizer [31368 searchOrchestrator] - SrchOptMetrics optimization=0.000474566
06-14-2023 16:53:57.938 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Optimized Search =| search index=_audit | eval title="AAA" | lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.938 INFO ScopedTimer [31368 searchOrchestrator] - search.optimize 0.001708104
06-14-2023 16:53:57.939 INFO PhaseToPipelineVisitor [31368 searchOrchestrator] - Phase Search = | search index=_audit | eval title="AAA" | lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.939 INFO SearchParser [31368 searchOrchestrator] - PARSING: | search index=_audit | eval title="AAA" | lookup sample_data.csv title OUTPUT code
06-14-2023 16:53:57.950 INFO SearchProcessor [31368 searchOrchestrator] - Building search filter
06-14-2023 16:53:57.957 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_access_log_fields'.
06-14-2023 16:53:57.957 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_gateway_log_fields'.
06-14-2023 16:53:57.957 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_scheduler_log_fields'.
06-14-2023 16:53:57.957 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='pool_name_field_extraction'.
06-14-2023 16:53:57.957 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_worker_log_fields'.
06-14-2023 16:53:57.959 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='pool_name_field_extraction'.
06-14-2023 16:53:57.960 WARN SearchOperator:kv [31368 searchOrchestrator] - Invalid key-value parser, ignoring it, transform_name='hydra_logger_fields'.
06-14-2023 16:53:57.961 INFO UnifiedSearch [31368 searchOrchestrator] - Expanded index search = index=_audit
06-14-2023 16:53:57.961 INFO UnifiedSearch [31368 searchOrchestrator] - base lispy: [ AND index::_audit ]
06-14-2023 16:53:57.962 INFO UnifiedSearch [31368 searchOrchestrator] - Processed search targeting arguments
06-14-2023 16:53:57.962 INFO PhaseToPipelineVisitor [31368 searchOrchestrator] - Phase Search =
06-14-2023 16:53:57.962 INFO SearchPipeline [31368 searchOrchestrator] - ReportSearch=0 AllowBatchMode=0
06-14-2023 16:53:57.962 INFO SearchPhaseParserControl [31368 searchOrchestrator] - Adding SimpleResultsCombiner to merge remote input into correct time order.
06-14-2023 16:53:57.962 INFO SearchParser [31368 searchOrchestrator] - PARSING: simpleresultcombiner max=0
06-14-2023 16:53:57.962 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Storing only 1000 events per timeline buckets due to limits.conf max_events_per_bucket setting.
06-14-2023 16:53:57.962 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Timeline information will be computed remotely
06-14-2023 16:53:57.962 INFO SearchPhaseGenerator [31368 searchOrchestrator] - No need for RTWindowProcessor
06-14-2023 16:53:57.962 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Adding timeliner to final phase
06-14-2023 16:53:57.962 INFO SearchParser [31368 searchOrchestrator] - PARSING: | timeliner remote=1 partial_commits=1 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300 extra_field=*
06-14-2023 16:53:57.962 INFO TimelineCreator [31368 searchOrchestrator] - Creating timeline with remote=1 partialCommits=1 commitFreq=0 syncKSFreq=0 maxSyncKSPeriodTime=60000 bucket=300 latestTime=1686729237.000000 earliestTime=1686639600.000000
06-14-2023 16:53:57.962 INFO SimpleResultsCombiner [31368 searchOrchestrator] - Base tmp dir removed.
06-14-2023 16:53:57.963 INFO SearchPhaseGenerator [31368 searchOrchestrator] - required fields list to add to different pipelines = *,_bkt,_cd,_si,host,index,linecount,source,sourcetype,splunk_server
06-14-2023 16:53:57.963 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Remote Timeliner= | remotetl nb=300 et=1686639600.000000 lt=1686729237.000000 remove=true max_count=1000 max_prefetch=100
06-14-2023 16:53:57.963 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Fileds=fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1686639600.000000 lt=1686729237.000000 remove=true max_count=1000 max_prefetch=100
06-14-2023 16:53:57.963 INFO SearchPhaseGenerator [31368 searchOrchestrator] - REMOTE TIMELINER ADDED
06-14-2023 16:53:57.963 INFO SearchParser [31368 searchOrchestrator] - PARSING: fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1686639600.000000 lt=1686729237.000000 remove=true max_count=1000 max_prefetch=100
06-14-2023 16:53:57.963 INFO SearchPhaseGenerator [31368 searchOrchestrator] - Search Phases created.
06-14-2023 16:53:57.991 INFO UserManager [31368 searchOrchestrator] - Setting user context: admin
06-14-2023 16:53:57.991 INFO UserManager [31368 searchOrchestrator] - Done setting user context: admin -> admin
06-14-2023 16:53:57.991 INFO UserManager [31368 searchOrchestrator] - Unwound user context: admin -> admin
06-14-2023 16:53:57.992 INFO DistributedSearchResultCollectionManager [31368 searchOrchestrator] - Stream search: litsearch index=_audit | eval title="AAA" | lookup sample_data.csv title OUTPUT code | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1686639600.000000 lt=1686729237.000000 remove=true max_count=1000 max_prefetch=100
06-14-2023 16:53:57.992 INFO ExternalResultProvider [31368 searchOrchestrator] - No external result providers are configured
06-14-2023 16:53:57.996 INFO UserManager [31396 SearchResultExecutorThread] - Setting user context: admin
06-14-2023 16:53:57.996 INFO UserManager [31396 SearchResultExecutorThread] - Done setting user context: NULL -> admin
06-14-2023 16:53:57.996 INFO SearchParser [31368 searchOrchestrator] - PARSING: | streamnoop
06-14-2023 16:53:57.996 INFO SearchParser [31368 searchOrchestrator] - PARSING: streamnoop | timeliner remote=1 partial_commits=1 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300 extra_field=*
06-14-2023 16:53:57.996 INFO UserManager [31398 localCollectorThread] - Setting user context: admin
06-14-2023 16:53:57.996 INFO UserManager [31398 localCollectorThread] - Done setting user context: NULL -> admin
06-14-2023 16:53:57.996 INFO SearchParser [31398 localCollectorThread] - PARSING: litsearch index=_audit | eval title="AAA" | lookup sample_data.csv title OUTPUT code | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1686639600.000000 lt=1686729237.000000 remove=true max_count=1000 max_prefetch=100
06-14-2023 16:53:58.009 INFO TimelineCreator [31368 searchOrchestrator] - Creating timeline with remote=1 partialCommits=1 commitFreq=0 syncKSFreq=0 maxSyncKSPeriodTime=60000 bucket=300 latestTime=1686729237.000000 earliestTime=1686639600.000000
06-14-2023 16:53:58.009 INFO SearchOrchestrator [31368 searchOrchestrator] - Starting the status control thread.
06-14-2023 16:53:58.009 INFO SearchOrchestrator [31368 searchOrchestrator] - Starting phase=1
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named hydra_logger_fields
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named pool_name_field_extraction
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named hydra_worker_log_fields
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named pool_name_field_extraction
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named hydra_scheduler_log_fields
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named hydra_gateway_log_fields
06-14-2023 16:53:58.030 WARN SearchOperator:kv [31398 localCollectorThread] - Could not find a transform named hydra_access_log_fields
... View more
06-13-2023
11:22 PM
Hi, inventsekar Set index=main or whatever index actually exists in your environment. Change index=xxx to |makeresults, and generate the main search results, STEP 2 is also executable. In STEP2, if you set index=xxx, error occurs. The version is Splunk 8.2.7
... View more
06-13-2023
10:00 PM
Hi all, I would like to know one thing. reproduction procedure STEP1 Execute the following command ======================= | makeresults | eval _raw="Date,time,title,code 06/10/2023,10:22,AAA,100 06/10/2023,11:33,BBB,200" | multikv forceheader=1 | outputlookup sample_data.csv ======================= STEP2 Execute the following command index=sandbox | eval title = "AAA" | lookup sample_data.csv title OUTPUT code ======================= Executing STEP2 results in the following error. [indexer01,indexer02,indexer03] Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'sample_data.csv, title, OUTPUT, code'. See search.log for more details.. ======================= STEP3 Execute the following command index=sandbox | eval title = "AAA" | table * | lookup sample_data.csv title OUTPUT code ======================= Lookup is executed normally I am wondering if you can tell me what is changed by running the | table command?
... View more
Labels
- Labels:
-
lookup
03-26-2022
02:42 AM
If I want to use a field(alarm_time) from the main search as a search criteria for a sub-search, what code should I write? In the following code, I want to search for the time they are working I want to search Conditions : work_start < alarm_time < work_end search results you want to get : (work_name=work_b) ____________________________________
| makeresults
|eval _raw="alarm_time,host,message
2022/03/26 18:05,test_node,test_down"
| multikv forceheader=1
| eval alarm_time_strp = strptime(alarm_time,"%Y/%m/%d %H:%M")
| join type=left host
[| makeresults
|eval _raw="host,work_start,work_end,work_name
test_node,2022/03/26 17:00,2022/03/26 18:00,work_a
test_node,22022/03/26 18:00,2022/03/26 19:00,work_b
test_node,2022/03/26 19:00,2022/03/26 20:00,work_c"
| multikv forceheader=1
| eval work_start_strp = strptime(work_start,"%Y/%m/%d %H:%M")
| eval work_end_strp = strptime(work_end,"%Y/%m/%d %H:%M")
]
... View more
Labels
- Labels:
-
join
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-06-2025
07:22 PM
|
