Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Running one part of search if first part is true?

doubleIQ
Engager
‎12-05-2013 08:52 PM

Hi guys, just a quick and hopefully simple question. Trying to figure out how to do this if possible but can't seem to figure it out.
Im running a search which returns how much splunk has currently indexed for the day:

index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise" NOT "RolloverSummary" earliest=@d | eval MB=(b/1024/1024) |stats sum(MB) AS MBUsed

This query places the amount in MB indexed since midnight into MBUsed.
What i would like to do, is run this following query if the above query if MBUsed > 500Mb.

index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise" NOT "RolloverSummary" earliest=-30d@d | eval MB=(b/1024/1024) | stats sum(MB) AS MBUsed by date_mday, date_month | Where MBUsed > 500 | stats count as TotalOvers

This query simply sums MB used per day over the last month then just counts the days that have indexed over 500.

So basically what i would like to do, is if the amount indexed is over 500Mb, then to run the second search to show me how many times the license limit has been breached in the last month.
The two queries work when run seperately, im just unsure how to piece them together or if its possible.

Hope that makes sense.

Thanks for the help 🙂

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-06-2013 05:02 AM

Why not run it in the same search - it's a slightly different approach with respects to the output, but I think it might be useful. And to speed up things - make use of the RolloverEvents for all but the current day (Note that these get created the day AFTER (some milliseconds past midnight), so therefore _time has to be adjusted to put the results on the correct day.

This search will give you a rather full report with the daily indexing amount and a notation on those days that there was a violation, with a sum at the end:

index=_internal sourcetype=splunkd RolloverSummary earliest=-30d latest=@d+1h 
| eval _time = _time - 86400 
| timechart span=1d sum(b) AS BU 
| append 
    [search index=_internal NOT RolloverSummary earliest=@d source=*license_usage.log  
    | timechart span=1d sum(b) AS BU] 
| eval MBU = round(BU/1024/1024,0) 
| fields - BU 
| eval Over = if(MBU>500,1,null()) 
| addcoltotals Over label="Number of violations" labelfield=MBU

This is the short version, that just shows today's indexing and the violation count for the past month;

index=_internal sourcetype=splunkd RolloverSummary earliest=-30d latest=@d+1h 
| eval _time = _time - 86400 
| timechart span=1d sum(b) AS BU 
| append 
     [search index=_internal NOT RolloverSummary earliest=@d source=*license_usage.log 
     | timechart span=1d sum(b) AS BU] 
| eval MBU = round(BU/1024/1024,0) 
| fields - BU 
| eval Over = if(MBU>500,1,null()) 
| eventstats sum(Over) as "Number of Violations past 30 days" 
| fields - Over 
| tail 1

Hope you find this useful,

K

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-06-2013 05:02 AM

Why not run it in the same search - it's a slightly different approach with respects to the output, but I think it might be useful. And to speed up things - make use of the RolloverEvents for all but the current day (Note that these get created the day AFTER (some milliseconds past midnight), so therefore _time has to be adjusted to put the results on the correct day.

This search will give you a rather full report with the daily indexing amount and a notation on those days that there was a violation, with a sum at the end:

index=_internal sourcetype=splunkd RolloverSummary earliest=-30d latest=@d+1h 
| eval _time = _time - 86400 
| timechart span=1d sum(b) AS BU 
| append 
    [search index=_internal NOT RolloverSummary earliest=@d source=*license_usage.log  
    | timechart span=1d sum(b) AS BU] 
| eval MBU = round(BU/1024/1024,0) 
| fields - BU 
| eval Over = if(MBU>500,1,null()) 
| addcoltotals Over label="Number of violations" labelfield=MBU

This is the short version, that just shows today's indexing and the violation count for the past month;

index=_internal sourcetype=splunkd RolloverSummary earliest=-30d latest=@d+1h 
| eval _time = _time - 86400 
| timechart span=1d sum(b) AS BU 
| append 
     [search index=_internal NOT RolloverSummary earliest=@d source=*license_usage.log 
     | timechart span=1d sum(b) AS BU] 
| eval MBU = round(BU/1024/1024,0) 
| fields - BU 
| eval Over = if(MBU>500,1,null()) 
| eventstats sum(Over) as "Number of Violations past 30 days" 
| fields - Over 
| tail 1

Hope you find this useful,

K

0 Karma
Reply
Solved! Jump to solution

doubleIQ
Engager
‎12-09-2013 09:51 PM

Thanks Kristian, worked a treat 🙂

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎12-06-2013 01:01 AM

There may be a pure search language solution where you use the first search inside a subsearch, and then have a conditional eval creating a field called "query" that has the string value of the entire second search, if the condition matches, and that has a value of "foo NOT foo" otherwise. If you had return query or |table query | head 1 at the end of the subsearch, then based on the condition the subsearch would basically yield out to the main search pipeline, either the entire search string of the second search, or the "foo NOT foo". Of course the drawback is that you have no ability to actually show the user the results from the first search. It's either the second search runs or nothing runs. Unless you wanted to package the first search string again inside the subsearch. <head explodes>

On a different tack, and I'm not sure if this is the answer you're looking for, but there are a couple ways to do this at the UI layer if you're using Sideview Utils.

The best I think is to use a ResultsValueSetter with a Switcher.

You first would use a bit of search language in the first search to create a field called "proceed" that has values true or false, then use a Sideview ResultsValueSetter module to pull down that field value and make it available as $proceed$. Then you could use a Sideview Switcher module to only show and run the second query (and all its charts and whatnot) if the $proceed$ value is "true". This same technique can be applied over and over and you can build quite complex chains of automatic search logic inside a single dashboard.

Sideview Utils contains docs pages that have working examples for both ResultsValueSetter and Switcher modules.

http://sideviewapps.com/apps/sideview-utils

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...