Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to define results from an initial search as a variable for other searches?

BWhisler2015
New Member
‎07-13-2015 02:37 PM

Hello,

I am working on a search and eventually a dashboard that displays the count per field based on the characteristics or results from an initial search. I'm pulling all my data into Splunk using the DB connect app.

For example, let's assume our entire data set consists of three fields (ID, eye color, and hair color) and four events.
Silly example, but bare with me.

ID          Eye Color          Hair Color
1           Blue               Brown
2           Green              Brown
3           Blue               Black
4           Brown              Brown

Now we want to find the count of IDs for each field based off the characteristics of a specified ID. In other words, if we choose ID 1 as our input, then with some Splunk magic the dashboard will spit out the following table (Note: I am not worried too much about formatting at this point).

Eye Color      Eye Color Count      Hair Color     Hair Color Count
Blue                  2               Brown               3

Does anyone have any ideas how I can go about writing this search? I originally thought I could pull in two sets of data (all the data and the row I want to pivot off of) and then either append or join the two sets together.

Thanks in advance, please let me know if my questions makes sense or if I need to clear something up.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 02:46 PM

The easiest to write would be something like this:

  sourcetype=your_data [search sourcetype=your_data ID=1 | table eye_color] | stats count as "Eye Color Count" by eye_color
| appendcols [search sourcetype=your_data [search sourcetype=your_data ID=1 | table hair_color] | stats count as "Hair Color Count" by hair_color

That'll go through your data several times, picking out the parts you need at each go.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-13-2015 02:51 PM

Once you have a selection for eye in selected_eyes and hair in selected_hair, and your data uses fields Eye Color and Hair Color, you can do it like this

... | stats count(eval($Eye Color$=selected_eyes)) AS "Eye Color Count" count(eval($Hair Color$=selected_hair)) AS "Hair Color Count" | rename selected_eyes AS "Eye Color" selected_hair AS "Hair Color" | table "Eye Color" "Eye Color Count" "Hair Color" "Hair Color Count"
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 02:46 PM

The easiest to write would be something like this:

  sourcetype=your_data [search sourcetype=your_data ID=1 | table eye_color] | stats count as "Eye Color Count" by eye_color
| appendcols [search sourcetype=your_data [search sourcetype=your_data ID=1 | table hair_color] | stats count as "Hair Color Count" by hair_color

That'll go through your data several times, picking out the parts you need at each go.

Reply
Solved! Jump to solution

BWhisler2015
New Member
‎07-14-2015 10:44 AM

Thanks! This works!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...