Splunk Search

How to append a subsearch where count < 50?

subtrakt
Contributor

Hello -
Any suggestions on how to append a subsearch where count < 50?

...|stats count | where count < 50 | append [search | rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | lookup dnslookup clientip AS testIP]
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this workaround

your base search  | appendpipe [| stats count | eval temp=1|append [ your subsearch ] 
| eventstats values(count) as count | where count<50 AND temp!=1]
0 Karma

subtrakt
Contributor

I have tried this but it doesn't seem to resolve the IPs or show the testIP field when the count is < 50. I have tested the base search and it does work. I will play around with it some more tomorrow.

index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]

0 Karma

subtrakt
Contributor
index=hostcheck "host timed out" | appendpipe [| stats count | eval temp=1 | append [search index=hostcheck "host timed out"| rex max_match=1 "(?i)(?<testIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"| lookup dnslookup clientip AS testIP]| eventstats values(count) as count | where count<50 AND temp!=1]
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide more information? You have a base search and want to append result of a subsearch only when base search have more than 50 events?

0 Karma

subtrakt
Contributor

So if it is < 50 events, the rex + lookup should run. if > 50 the rex+lookup shouldn't run...

0 Karma

subtrakt
Contributor

Yup, you got it.

0 Karma

vasanthmss
Motivator

Try this,

search.... | eventstats count | where count < 50 | do the rex... 
V
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...