×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
splunkinator53
Explorer
Member since: ‎01-19-2025
‎04-07-2025
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-19-2025
Activity Feed
View All

Re: Rest search with map doesnt work as intended

by in Splunk Search
‎04-07-2025 11:37 PM
‎04-07-2025 11:37 PM
Okay, thx for your reply! 🙂    Qst:  How would you construct the search, when you make a rest call and let all searches run then saving them in an index? Which approach is better then map?  ... View more

Rest search with map doesnt work as intended

by in Splunk Search
‎04-07-2025 01:35 PM
‎04-07-2025 01:35 PM
This is the SPL i m using | rest /servicesNS/-/-/saved/searches splunk_server=local | fields title | search title=Reports* | eval dayEarliest="-1d@d", dayLatest="@d" | map maxsearches=100000 search="savedsearch \"$title$\" etime=\"$dayEarliest$\" ltime=\"$dayLatest$\" | addinfo | collect index=INDEXNAME testmode=false | search" Error i get: [map]: No results to summary index. Why? ... View more
Labels

Re: search with sub search doesnt get the correct ...

by in Splunk Search
‎01-20-2025 01:29 AM
‎01-20-2025 01:29 AM
Thank you very much for your feedback! I apologize for the anonymized query; I realize some parts were trimmed incorrectly. Regarding Point 3: I aim to have both the main search and the subsearch use the same earliest and latest time fields. The idea is that the tstats command serves as a pre-filter, while the base search is used to retrieve the raw events. The query I wrote generally works as expected, but sometimes it fails to correctly use the specified earliest and latest. For instance, during one test, it returned the correct time range, but when tested an hour later, it didn’t align with the specified time. Interestingly, I noticed that tweaking the search command sometimes resolves this issue and ensures it searches within the correct time range.  ... View more

search with sub search doesnt get the correct defi...

by in Splunk Search
‎01-19-2025 01:13 PM
‎01-19-2025 01:13 PM
Hey,  lately i was working on an SPL and wondered why this aint working. This is simplified     index IN(anonymized_index_1, anonymized_index_2, anonymized_index_3, anonymized_index_4) NOT index IN (excluded_index_1) earliest=-1h@h latest=@h EventCode=xxxx sourcetype="AnonymizedSourceType" NewProcessName IN (*) [| tstats count where index IN(anonymized_index_3, anonymized_index_1, anonymized_index_4, anonymized_index_2) NOT index IN (excluded_index_1) earliest=-1h@h latest=@h idx_EventCode=xxxx sourcetype="AnonymizedSourceType" idx_NewProcessName IN(*) by idx_Field1 _time idx_Field2 host index span=1s | search anonym_ref!="n/a" OR (idx_NewProcessName IN (*placeholder_1*, *placeholder_2*) AND (placeholder_field_1=* OR placeholder_field_2=*)) ]   When I run this SPL, I’ve noticed inconsistent behavior regarding the earliest and latest values. Sometimes the search respects the defined earliest and latest values, but at other times, it completely ignores them and instead uses the time range from the UI time picker. After experimenting, I observed that if I modify the search command to combine the conditions into one single condition instead of having two separate conditions, it seems to work as expected. However, I find this behavior quite strange and inconsistent. I would like to retain the current structure of the search command (with two conditions) but ensure it always respects the defined earliest and latest values. If anyone can identify why this issue occurs or provide suggestions to resolve it while maintaining the current structure, I’d greatly appreciate your input.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-07-2025 11:34 PM
Karma given to
View All