Here we still use the A criteria in the subsearch to whittle down the RequestId's, but then we feed this into a disjunction amounting to A OR B. You can also combine a search result set to itself using the selfjoin command. Now if you want to carry something through to the end from the A side, like the timeoutSvc values, that's pretty simple. Description You can use the join command to combine the results of a main search (left-side dataset) with the results of either another dataset or a subsearch (right-side dataset). [ search index=app source=sourceA host=hostA sourcetype=A timeoutSvc=* index=app host=hostB source=sourceB sourcetype=B The final stats with the values(foo) clause might not be exactly what you want ultimately but it matches your question. search1 append search2 The search is now: indexos sourcetypecpu. Any other fields you need like AgentUserName, throw it in the stats (here I've just added it as an extra group by field because that generally makes the most sense for categorical fields. One way Splunk can combine multiple searches at needs to be preceded by a. After that you want to just use stats to group things by the RequestId. I hope that helps.It sounds like you want to use a subsearch to use your criteria on the B side to whittle down the total RequestId values being received. This should return your values from your first and second joins, but leave the 3rd timestamp blank. If you want all of the calls to show, but if they don't include a "hello" or a "how", it should leave those fields blank, then you want to use a left join. There are no names that have records in all 3 joined segments. This is because the (default:inner) join fails. [ search index=_internal sourcetype=splunk_web_access_NOT_THERE If you replace one of the sourcetypes with something that doesn't exist. When you run this you get a hostname and 3 timestamps based on the timestamps records for the 3 sourcetypes named. | eval first_how=strftime(first_how,"%c") ] [ search index=_internal sourcetype=splunk_web_access | eval first_hello=strftime(first_hello,"%c") [ search index=_internal sourcetype=splunkd_ui_access | eval call_time=strftime(call_time,"%c") | stats latest(host) as name, latest(_time) as call_time Here's something that should return results for you. This feature in Splunk is called source type. For example, if it is a log from apache web server, Splunk is able to recognize that and create appropriate fields out of the data read. I'm not sure if I understand the question exactly, but let me try to take a swing at it.įirst, let's get a query that works. All the incoming data to Splunk are first judged by its inbuilt data processing unit and classified to certain data types and categories. Let me know if I need to clarify anything else. In other words, I want to find the first time that xxname said hello in conversation and how in messages.ĭisplay a table that shows: name,TIME of the last call (corresponding to that name), TIME of the first time the word hello was said in the values of the conversation field, TIME of the first time the word how was said in the values of the messages field. These two fields contain values that look like paragraphs. When it comes to messages and conversations, I want to find the first time that each field had a value containing the specific word(hello and how correspondingly). I can see how that contradicts the purpose of 'join' but I couldn't find another way to do it.ġ. I want to find a way that it displays all the events and that if a certain time (or word) cannot be found then it will just stay blank. As I added the 'join' I could tell that the number of statistics decreased. Both first_hello and first_how, are displaying the same time.Ģ. | table name, call_time, first_hello, first_howġ. | stats earliest(_time) as first_how by name [ search index=xxx source=xxx sourcetype=xxx messages="\*how\*" | stats earliest(_time) as first_hello by name [ search index=xxx source=xxx sourcetype=xxx conversation="\*hello\*" | stats latest(name) as name, latest(call_time) as call_time Here's what I have so far: index= xxx source=xxx sourcetype=xxx However, I am running into error when I use the earliest command twice. I am a new splunk user and I want to create a stats table showing different findings of an event using fields.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |