×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
gszabo
Explorer
Member since: ‎05-17-2022
‎05-18-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-17-2022
Activity Feed
View All

Re: correlated search

by in Splunk Search
‎05-18-2022 02:02 AM
‎05-18-2022 02:02 AM
Yes, thats works now. Arbor logs without any structure... i love it. Thank you very much!   ... View more

Re: correlated search

by in Splunk Search
‎05-18-2022 01:44 AM
‎05-18-2022 01:44 AM
Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search. the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search. ... View more

Re: correlated search

by in Splunk Search
‎05-18-2022 01:01 AM
‎05-18-2022 01:01 AM
Thanks for the reply. Almost good. the subseach returns the relevant alert numbers, thats okay.  alert_num search 1   ( ( alert_num="484316" ) OR ( alert_num="484263" ) OR ( alert_num="484243" ) )   But the whole query do not shows all the relevant logs with the selected alert numbers, just ones what contains the managed_host field.   ... View more

How to define multiple search or subsearch to merg...

by in Splunk Search
‎05-18-2022 12:01 AM
‎05-18-2022 12:01 AM
Hello, Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts. Interesting fields in search are  the hosts - as managed_host field and an uniqe alert number. I do not need alert about all the hosts, so i sort the relevant ones:  index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |  eval alert=alert_num Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.) Index=main alert_num=$alert$ How could be merged this two search in one to generate an alert that will contain all relevant information? Thanks, Gabor     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-18-2022 10:43 AM
Karma given to
View All