Splunk Search

Create new field from subsearch results

C_Sparn
Communicator

Hello,

im looking for a possibility to create a multivalue field from the result list of a subsearch and work with the new field in main search.
Like this:

sourcetype = log [search sourcetype = log|where clause|stats values(Tickets) as NewTickets | fields + NewTickets] | table NewTickets

Is it possible to do something like that?

Greetings

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Okay, so something like this?

sourcetype=log additional filters go here | chart count over TicketState by Day

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Okay, so something like this?

sourcetype=log additional filters go here | chart count over TicketState by Day

martin_mueller
SplunkTrust
SplunkTrust

That search is now the answer so feel free to accept.

0 Karma

C_Sparn
Communicator

Thank you that is what i was looking for but I changed
|chart count over... to | chart count(Tickets) over...
Can you write an answer that I can vote?

0 Karma

C_Sparn
Communicator

Ok this are some samples how events look like:

Ticket: 2014040310140326 Day: 2014-04-03 TicketState: new
Ticket: 2014040310150426 Day: 2014-04-05 TicketState: closed

Out of such kinds of events I extract my fields like I discribed aboth.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Well, without sample data I'm stuck with guessing what your data looks like. If you'd post some samples...

0 Karma

C_Sparn
Communicator

I dont think thats possible in my case.

With the sourcetype = log i get a event list where each event accords to one Ticket. So each event has one Ticktnumber, a ticket state like (open,closed...) and a day. I have already extracted the fields "tickets" with all ticketnumbers, field "day" with all days, and field "ticketstate" with 4+ states. I think now i need to create a field "close" with all closed ticketnumbers and other fields for the other states. Then:

search with or without subsearches | chart count(open) count(close)... by day

as line chart

Hope that was a better explanation.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Something like this?

sourcetype=log additional filters go here | chart count over Tickets by Day
0 Karma

C_Sparn
Communicator

Waht I want to do is this:
I have extracted a field called Tickets, which includes all kind of ticktes like open, closed...
Now I want to split the ticktes field values with 4 different (sub)searches into 4 fields("open", "closed"...)
My expected result is a line chart with 4 lines, where each line is the number of values for one kind of ticket. And it should be grouped by a field called Day.
Thanks for the help.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Could you explain what you're trying to achieve using natural language, sample data, and expected results?
I'm not quite able to grasp those from your attempted search.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...