![]() Topics will focus on lookup commands and explore how to use subsearches to correlate and filter data from multiple sources. The result is a table with the fields totalUsers, variableA, and variableB. 12.50 Leveraging Lookups & Subsearches This module is designed for users who want to learn how to use lookups and subsearches to enrich their results. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. The eval command is used to define a "variableB". A subsearch is a search that is used to narrow down the set of events that you search on.The where command is used to constrain the subsearch within time range of those fields. The addinfo command adds the info_min_time and info_max_time fields to the search results. Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server.First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".rver | stats dc(userID) as totalUsers | appendcols | eval variableB = exact(variableA/totalUsers) This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields. This is a valid search string because appendcols comes after the transforming command table and adds columns to an existing table of results. Index=_internal | table host | appendcols ![]() Search for "404" events and append the fields in each event to the previous search results. Note that the subsearch argument to the appendcols command doesn't have to contain a transforming command. The appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. The appendcols command must be placed in a search string after a transforming command such as stats, chart, or timechart. Time Use these commands to search based on time ranges or add time information. Default: 50000 timeout Syntax: timeout= Description: The maximum time, in units of seconds, to wait for subsearch to fully finish. Command Description append Appends subsearch results to current results. Default: 60 maxout Syntax: maxout= Description: The maximum number of result rows to output from the subsearch. Subsearch options maxtime Syntax: maxtime= Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing. Default: override=false subsearch-options Syntax: maxtime= | maxout= | timeout= Description: These options control how the subsearch is executed. Subsearch is a search query that is nested within another search query, and the results of the subsearch are used to filter the main search, so: 1- First, run a query to extract a list of fields that you want to use for filtering your subsequent Splunk query: indexmyindex sourcetypemysourcetype table myfield. If override=true, the subsearch result value is used. Optional arguments override Syntax: override= Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. This enables sequential state-like data analysis. See how subsearches work in the Search Manual. Splunk Enterprise Search Manual Use subsearch to correlate events Download topic as PDF Use subsearch to correlate events A subsearch takes the results from one search and uses the results in another search. Required arguments subsearch Description: A secondary search added to the main search. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on. All fields of the subsearch are combined into the current results, with the exception of internal fields. However, the queries on the right side of the eval statements work as expected.Appends the fields of the subsearch results with the input search results. | eval totalCount = domain1Count + domain2Count Search "Middleware 2" "| stats distinct_count(UserId) as domain2Users Search "Middleware" "| stats distinct_count(UserId) as domain1Users At this time, I have the following Simple XML: I need to get a) the number of users for each domain and b) the total users for use in the dashboard. I have a Splunk dashboard that shows traffic across two sites.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |