Index=ABC (log_subtype="DEF" OR log_subtype="GHI" OR log_subtype="JKL")(((eventtype=X OR eventtype=Y) field_A="*SQL*") OR ((severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33. I succeeded on merging the 2 searches up to some extent (up to stats command) | stats values(D) as D values(E) as E values(A) as A BY X, Y Index=ABC (log_subtype="GHI" OR log_subtype="JKL") (severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44" | stats values(A) as A values(B) as B values(C) as C BY X, Y The sub searching is a very important part of the Splunk searching to search the data effectively in our data pool. Index=ABC (eventtype=X OR eventtype=Y) log_subtype=DEF field_A="*SQL*" Splunk Sub Searching Splunk Sub Searching In this section, we are going to learn about the Sub-searching in the Splunk platform. Depending on your data it might give a significant performance boost or none at all.How do I merge the below 2 complex queries? Let me know if it's possible in Splunk? When you load data that is not in a compressed file, you will be asked to set the. indexwindows inputlookup defaultuseraccounts.csv fields user indexwindows (userA OR userb OR userc) As it is converted as above and search is fast. The Set Source Type step in the Add Data wizard is skipped. It is not usually used as an extraction condition. Because you specified a compressed file, the Splunk software recognizes that type of data source. If there is a window displayed, close that window. I want to select a team on a dashboard and feed that token into a search that will find all the applications they manage in a csv lookup file, then search tags fields in an index of 'metadata' to get all the logs related to those applications. You can improve your search efficiency a bit by adding the u_cloud_domain values to the initial search (without any particular field to match) so that Splunk can limit its search only to those events which have this value anywhere. What is in the tutorial data Use the Add Data wizard. ![]() Unfortunately, because your data is not well-structured, you can't do a simple search for Domain=something. The alternative approach could be to use the lookup and get the support_group field from the lookup based on the u_cloud_domain field looked up from the Domain field and then filter with support_group condition. | rename u_cloud_domain as Domain | table Domain ] One approach is to use a subsearch to generate a list of conditions for the Domain value | search [ inputlookup snow_sys_applications.csv Both will be similar in terms of performance since you have to firstly dig through all your data anyway. Now we can find the single json object which has the proper key: | eval Domain=mvfind(tags,mvindex(tags,"\"Key\"\s*:\s*\"Domain\""))Īnd now we can parse out our Domain from the "sub-json" | spath input=Domain path="Value" output=DomainĪfter this you'd have your Domain field properly parsed out. | eval appdomain = mvfind('Tags" output=tags | where support_group="12345" ```$token$ would go here``` This is my search so far but its provdes blank results. ![]() This is because both commands make use of a subsearch (the content between the square brackets). Although these commands are widely used, they’re not the most efficient. ![]() One of the best ways to minimize the number of trips to the indexers is to avoid using the join and append commands. I want to select a team on a dashboard and feed that token into a search that will find all the applications they manage in a csv lookup file, then search tags fields in an index of 'metadata' to get all the logs related to those applications. Solution Minimize the number of trips to the indexers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |