cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dimigs
Engager
Member since: ‎03-18-2022
‎03-19-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-18-2022
Activity Feed
View All

Re: Multisearch not doing what I expect

by in Splunk Search
‎03-19-2022 07:25 AM
‎03-19-2022 07:25 AM
Really frustrating. That is 3 tries and none work. ... View more

Re: Multisearch not doing what I expect

by in Splunk Search
‎03-19-2022 07:24 AM
‎03-19-2022 07:24 AM
So i tried this: index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | search $search_string_token$ | timechart cont=FALSE span=$span_token$ sum(success) by request_type Then I used my Scope dropdown to define the search_string_token. Static Options:   request_type: request_type=*   site: request_type=* site=*   zone: request_type=* site=* zone=*   cluster: request_type=* site=* zone=* cluster=* That actually works. BUT I don't really want just "*" there, I want the input value from another token. Static Options:   request_type: $request_type_token$   site: $request_type_token$ $site_token$   zone: $request_type_token$ $site_token$ $zone_token$   cluster: $request_type_token$ $site_token$ $zone_token$ $cluster_token$ That does not work. All I get is the string  "$request_type_token$" in the search and not the token value. index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | search $request_type_token$ | timechart cont=FALSE span=hour sum(success) by request_type ... View more

Re: Multisearch not doing what I expect

by in Splunk Search
‎03-19-2022 07:04 AM
‎03-19-2022 07:04 AM
How do I do this in just spl? What is the mvindex and random? ... View more

Re: Multisearch not doing what I expect

by in Splunk Search
‎03-18-2022 04:28 PM
‎03-18-2022 04:28 PM
I want to do this. If scope == 'request':     search request_type="*" elif scope == 'site':     search request_type="*" site=* scope == 'zone':     search request_type="*" site=* zone=* scope == 'cluster':     search request_type="*" site=* zone=* cluster=* And I just can't make it happen ... View more

How do I fix this multisearch that is acting unexp...

by in Splunk Search
‎03-18-2022 02:45 PM
‎03-18-2022 02:45 PM
The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I wanted to use multi-search to coalesce the results of 4 different searches. So that if the scope was site, only the results from the site search would be shown. Actual Search: index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search $request_type_token$ | where "$scope_token$" == "request_type" ] [search $request_type_token$ $site_token$ | where "$scope_token$" == "site"] [search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"] [search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"] | timechart cont=FALSE span=$span_token$ sum(success) by request_type Search after token substitution with literal values. index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search request_type="*" | where "site" == "request_type" ] [search request_type="*" site="RTP" | where "site" == "site"] [search request_type="*" site="RTP" zone="*" | where "site" == "zone"] [search scope=site request_type="*" site="RTP" zone="*" cluster="*" | where "site" == "cluster"] | timechart cont=FALSE span=hour sum(success) by request_type BUT ... the results of this query are equivalent to no search at all and I basically do not filter anything. index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | timechart cont=FALSE span=hour sum(success) by request_type This query and the one above give the same result. What am I missing here? When I execute each part of the multi-search separately, the results are correct. I get empty results for all but the 'where "site" == "site"' search. But when I run the whole query I get no filtering at all. Help! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-19-2022 04:53 PM
Karma given to
View All