- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- macro with 2 arguments and a where clause
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
i have a search query like
index=main a=* OR b=* 'macroname("a","b")' |table b b1 b2 b3
my macro is like
macroname(2)
def: sourcetype=log |where $a$=$b$
args a,b
i used splunk web to create this macro
what i want is, a and b are in diferent events and i want to display all the common values in a and b in a table with some other values present in the same event as b.
i tried to figure it out by myself. i am sorry if i missed any documents helping this
can lookup do this job?
i refered to this answer here
please help
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Macros wont help you here.
index=main [ search index=main a=* OR b=* | stats count by a b | where a>0 AND b>0 | fields b ] | table b b1 b2 b3
What does the bit in square brackets do ?
run this :
index=main a=* OR b=* | stats count by a b | where a>0 and b>0 | fields b | format
This is substituted into the main search.
So the main search becomes
index=main (( b=something) OR ( b=somethingelse) OR ( .. )) | table b b1 b2 b3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Macros wont help you here.
index=main [ search index=main a=* OR b=* | stats count by a b | where a>0 AND b>0 | fields b ] | table b b1 b2 b3
What does the bit in square brackets do ?
run this :
index=main a=* OR b=* | stats count by a b | where a>0 and b>0 | fields b | format
This is substituted into the main search.
So the main search becomes
index=main (( b=something) OR ( b=somethingelse) OR ( .. )) | table b b1 b2 b3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks jonuwz. a and b is in separate events and a is extracted in transforms.conf.
now i found that this query is working fine for me.
index=main sourcetype=log source=SUCCESS a=* OR b=* | eval b=coalesce(a, b) | stats dc(a) as occur by b|where occur>0 |fields b| join b[ search source=SUCCESS | fields b b1 b2 b3 b4 ] |table b b1 b2 b3 b4
Thank you for tour time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are fields a and b in the same event ?
Can you post sample data and the required output
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks jonuwz, but the above search is not working for me, as i mentioned in my question , i have to compare two different field values, | where $a$=$b$ and select those values from b and display.
| stats count by a b | where a>0 and b>0
is not giving any result
Thank you
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
