splunk dashboard

Siddharthnegi · ‎05-13-2024

| inputlookup E.csv
| search 4Let="ABCD"
| stats count as count3
[search index=xyz category="Ad"  "properties.OnboardingStatus"= Onboarded
| dedup properties.DeviceName
| rename properties.DeviceName as DeviceName
| stats count as count2]

this search is giving error

VatsalJagani · ‎05-13-2024

@Siddharthnegi - Try this search

| inputlookup E.csv
| rename "4Let" as "Let4"
| search Let4="ABCD"
| stats count as count3
[search index=xyz category="Ad"  "properties.OnboardingStatus"= Onboarded
| dedup properties.DeviceName
| rename properties.DeviceName as DeviceName
| stats count as count2]

I think the problem that you are facing is field name starting with number, which creates problem in search in some-cases.

I hope this helps!!! Kindly upvote if it does!!!

gcusello · ‎05-13-2024

Hi @Siddharthnegi ,

what's the purpose of your search?

using the search you shared you have a main search that arrives to a stats command and then you added another search without any relation with the first one.

Do you want to append the second to the first one or do you want to filter results from the first using the secon one?

Ciao.

Giuseppe

splunk dashboard

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout