cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
splunk_new1
Explorer
Member since: ‎10-13-2020
‎02-23-2021
Community Statistics
Posts 8
Solutions 0
Karma Given 2
Karma Received 1
Member Since ‎10-13-2020
Activity Feed
View All

Re: foreach and subsearch values

by in Splunk Search
‎02-22-2021 06:45 PM
‎02-22-2021 06:45 PM
Ah, appreciate this, I have tried it but it does not seem to work..  As the search field values may contain more than just one index, it does not seem to be possible, it would be ideal if the entire search field values can be just passed into the search itself as this is the search query. search ============= index=index1 index=index2 index=index3 index=(index1 OR index2 OR index3) sourcetype=blahblah index=`test` ... View more

foreach and subsearch values

by in Splunk Search
‎02-22-2021 09:43 AM
‎02-22-2021 09:43 AM
I am using a table of results  a | b | c | search | d | e =============================================== xx yy zzz index=firstindex bb ppp yyy qqq eeee index=secondindex rr sss ttt zxc asd index=thirdindex uy mmm based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like  for each row: if field= search: #use value in search [search value | return index to main search] it should evaluate to something like this for each row if field=search: [search index=index1 | return index] My desired output is:  index ============== firstindex secondindex thirdindex    Is this possible? I have tried using  foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]] but this does not seem to work.  I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a  search ======================== index=firstindex index=secondindex index=thirdindex |map search="search index=$search$"  as I believe ^ would  resolve to map search="search index=index=firstindex " This would be an error. Is there anyway I can do something like  |map search="search $search$| stats values(index)" and have it return something like index ========== firstindex secondindex thirdindex Tried looking around in splunk community forums but they seem to point at map instead of foreach, I am really lost in how I can get around this issue and achieving my desired output, it would be great if someone with more splunk experience can assist me ... View more
Labels

Re: foreach and subsearch

by in Splunk Search
‎02-22-2021 02:54 AM
‎02-22-2021 02:54 AM
Hi,  Thanks for your reply. I have posted an update to my question with my desired output.  I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a  search ======================== index=firstindex index=secondindex index=thirdindex |map search="search index=$search$"  as I believe ^ would  resolve to map search="search index=index=firstindex   This would be an error. Is there anyway I can do something like  |map search="search $search$| stats values(index)" and have it return something like index ========== firstindex secondindex thirdindex ... View more

foreach and subsearch

by in Splunk Search
‎02-21-2021 07:49 PM
1 Karma
‎02-21-2021 07:49 PM
1 Karma
I am using a table of results    a | b | c | search | d | e =============================================== xx yy zzz index=firstindex bb ppp yyy qqq eeee index=secondindex rr sss ttt zxc asd index=thirdindex uy mmm   based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like    for each row: if field= search: #use value in search [search value | return index to main search] it should evaluate to something like this for each row if field=search: [search index=index1 | return index]   My desired output is:    index ============== firstindex secondindex thirdindex    Is this possible? I have tried using  foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]] but this does not seem to work.  Tried looking around in splunk community forums but the queries do not seem to be the same as what I am intending to do ... View more
Labels

Re: Using result of one search for another

by in Splunk Search
‎02-04-2021 09:51 AM
‎02-04-2021 09:51 AM
Thanks for your response! Yes, I did make use of the OR command.  What's happening right now is, when I used  (index=index1 (conditions)) OR (index=index2 (conditions)) | fields src | rename src as ip | format i get the results of ( ( ip="1.1.1.1" ) OR (ip ="2.2.2.2")  etc... just like how I want it.  If I copy that result and manually perform a  index= index3 ( ( ip="1.1.1.1" ) OR (ip ="2.2.2.2")) |stats count description by ip I am able to properly get the results that I desire.  The issue now comes when I put everything together and have it automated:  index= index3 [ search (index=index1 (conditions)) OR (index=index2 (conditions)) | fields src | rename src as ip | format ] | stats count description by ip For some reason the subsearch result from the subsearch index=index1 OR index=index2, the ip values do not get passed to the index3 search.  When I run the code, I get lots of other ip addresses that are not even generated from the results of the subsearch.  ... View more

Using result of one search for another

by in Splunk Search
‎02-03-2021 08:57 PM
‎02-03-2021 08:57 PM
Hi all!  I am relatively new to splunk and I am trying to use the results of one search for another search, So... index=index1 <conditions> or index=index2<conditions> | stats count by src servname |fields src |rename src as ip  Results:  ip 1.1.1.1  2.2.2.2 3.3.3.3  4.4.4.4 in index3, the field is called ip,  I would like to based off the returned ip list above ^: index=index3  ip="1.1.1.1" or ip="2.2.2.2" or ip="3.3.3.3" or ip="4.4.4.4"  |stats count description by ip But I cant seem to do it, when I make use of format or subsearches like  index=index3 [ search (index=index1 or index=index2 ...  ] | stats count description by ip it seems to return me results of all ips and their description in just index3. The first subsearch results "1.1.1.1" "2.2.2.2" "3.3.3.3" etc does not get parsed into the index3 search as a variable. How can i make this happen?  *Pardon my explanation if its too lengthy   ... View more
Labels

Re: How to chart counts of events as Y axis, time ...

by in Getting Data In
‎10-21-2020 03:31 AM
‎10-21-2020 03:31 AM
Great! This solved my issue and helped me further with my splunk searches! Thanks so much! Sorry for the late reply. ... View more

How to chart counts of events as Y axis, time as X...

by in Getting Data In
‎10-13-2020 01:12 PM
‎10-13-2020 01:12 PM
Hi! I'm new to using splunk and I am currently trying to chart a series of events over a time period. I have managed to use the rex command and extracted out the values of interest to me.  Right now I would like to make it such that each individual "power" values are appearing as a line on its own with it's own legend, similar to how timechart would look like. How can I do that?  Also, I have another 5 events together in this index which are not the same format as the other logs in this index, is it possible for me to also use rex to extract them into another field and finally COMBINE both extracted REX fields into one big happy timechart/chart?      expected something like this ^ I appreciate your time and thanks in advance for the help!  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-23-2021 03:13 AM
Karma from
View All
Karma given to
View All