×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jacques
Loves-to-Learn
Member since: ‎06-17-2021
‎07-14-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-17-2021
Activity Feed
Topics I've Started
View All

Re: How to feed a query?

by in Splunk Search
‎06-22-2021 05:27 AM
‎06-22-2021 05:27 AM
Thank you.  I'm not initially able to get this to work, but feel like it is on the right path.  I've a series of errors just using a minimal amount of data (e.g. a couple of domains in the CSV over a 15 minute period).  Thank you for bearing with me while I get this sorted. ... View more

Re: How to feed a query?

by in Splunk Search
‎06-18-2021 09:01 AM
‎06-18-2021 09:01 AM
Thank you for your quick response! I do have a couple of fields in the weblogs that may contain the domain or variations of it.  As I am creating the CSV I can name that single column whatever I like so that it matches.  There are a couple of "unknowns" here that I believe are making this complicated.  In my simple query: index=weblogs somedomain.com | stats count I am searching my results for *somedomain.com* regardless of the field.  I certainly can be more specific and designate a single field to search, but I do need to be able to still retain the wildcard aspect so that "somedomain.com" from the list of domains provided by the CSV also finds "somedomain.com", "www.somedomain.com ", "video.somedomain.com", etc. from the weblogs.  In my past experience, adding an asterisk such as domain="*somedomain.com" significantly impacted the search and processing.  "Significantly" = a search similar to what I'm currently using but with an asterisk was 40% complete after two days, but when I ran the same search without the asterisk completed in a couple of minutes. I am also following up with my Admin to see if there is a means to confirm _which_ field in weblogs is triggering "found" when I execute: index=weblogs somedomain.com | stats count I hadn't thought about it but the initial query's speed may likely be due to the request domain being in an indexed field and it might help my response time if I ensure that I use that field to search as opposed to a non-indexed one. In my attempts to use inputlookup, Splunk refuses to produce a count of hits, 0 found. Though I do not _know_, I _suspect_ that the inputlookup as a subsearch is essentially responding with the entire results/contents, rather than one at a time, iteratively.  I spent some time trying to get map or foreach to spit each domain from the CSV to me, one at a time but thus far have been unsuccessful in producing results. Thanks again for your suggestion. ... View more

Re: How to feed a query?

by in Splunk Search
‎06-18-2021 08:52 AM
‎06-18-2021 08:52 AM
Thank you for your quick response! I do have a couple of fields in the weblogs that may contain the domain or variations of it.  As I am creating the CSV I can name that single column whatever I like so that it matches.  There are a couple of "unknowns" here that I believe are making this complicated.  In my simple query: index=weblogs somedomain.com | stats count I am results for *somedomain.com* regardless of the field.  I certainly can be more specific and designate a single field to search, but I do need to be able to still retain the wildcard aspect so that "somedomain.com" from the list of domains provided by the CSV also finds "somedomain.com", "www.somedomain.com", "video.somedomain.com", etc. from the weblogs.  In my past experience, adding an asterisk such as domain="*somedomain.com" significantly impacted the search and processing.  "Significantly" = a search similar to what I'm currently using but with an asterisk was 40% complete after two days, but when I ran the same search without the asterisk completed in a couple of minutes. I really like the simplicity of your suggestion: index=weblogs [| inputlookup domainlist.csv] | stats count by domain This is the line of thought I've been working along, but Splunk refuses to produce a count, 0 found. Though I do not _know_, I _suspect_ that the inputlookup as a subsearch is essentially responding with the entire results/contents, rather than one at a time, iteratively.  I spent some time trying to get map or foreach to spit each domain from the CSV to me, one at a time but thus far have been unsuccessful. ... View more

How to feed a query?

by in Splunk Search
‎06-17-2021 12:45 PM
‎06-17-2021 12:45 PM
I am trying to run a simple query, but with a catch.  I want to run something like this: index=weblogs somedomain.com | stats count I don't want to see all of the the events. I don't want detail. I just want to know how many events make reference to *somedomain.com*.  For this specific domain, I'm good, and the above query returns almost instantaneously what I want. The catch - I now need to perform this simple query several thousand more times for each of the domains on a list, providing the number of events make reference to each domain in the list. I thought if I spun my list into a CSV, import it and the reference/"feed" the query using something like this: index=weblogs | inputcsv domainlist.csv | stats count Or perhaps: index=weblogs | inputlookup domainlist.csv | stats count I'd have what I needed, but to no avail.  I've tinkered with LOOKUP, MAP, FOREACH and several others.  In the end, I feel like I've missed the obvious.  I feel like it's the iterative nature of the query that is defeating me. Thank you in advance for your assistance. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-14-2021 12:38 PM