On a daily basis a series of publications are distributed to a number of different accounts. The list of publications changes on a daily basis and is never repeated. The publications are transferred by a server named jkcs1. I have a search that gathers the names of publications created in the past 24 hours from that server. That search looks like this:
sourcetype="iis" jkcs1 /tm/ .pdf |makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3) | fields pubName | stats list(pubName)
I need a second search that will take the output from the first search (pubName) and tell me how many of those publications were downloaded by each account. Not all accounts will download the same number of publications. I have a search that works perfectly if I hardcode the publication name. It looks like this:
sourcetype="iis" 01-110hcg-1b.pdf cs_username!="-" | eval cs_uri_stem=lower(cs_uri_stem) | chart count(cs_uri_stem) as Accounts by cs_uri_stem | rename cs_uri_stem as Publications | where Accounts >1
The output looks like this:
Publications Accounts 01-110hcg-1b.pdf 24
What I want is something that combines both searches so that the second part gathers data based on the pubName field from the first search. The output would then look like this:
Publications Accounts 01-110hcg-1b.pdf 24 16-35mx3160-2.pdf 18 a1-v22ac-mrc-000.pdf 22 01-75pac-2-9.pdf 24
I’ve tried subsearches, appends, appendcols, outputcsv and inputcsv, map and just about everything else I can think of. I can easily get the list of publications but the Accounts column is always blank.
Is it possible to do what I want?
You need:
sourcetype="iis cs_username!="-"
[ search sourcetype="iis" jkcs1 /tm/ .pdf
| makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3)
| fields pubName | rename pubName as query ]
| eval cs_uri_stem=lower(cs_uri_stem)
| chart count(cs_uri_stem) as Accounts by cs_uri_stem
| rename cs_uri_stem as Publications
| where Accounts >1
You use a standard subsearch, but the trick is to name your field "query". I have no idea if this is even documented.
You need:
sourcetype="iis cs_username!="-"
[ search sourcetype="iis" jkcs1 /tm/ .pdf
| makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3)
| fields pubName | rename pubName as query ]
| eval cs_uri_stem=lower(cs_uri_stem)
| chart count(cs_uri_stem) as Accounts by cs_uri_stem
| rename cs_uri_stem as Publications
| where Accounts >1
You use a standard subsearch, but the trick is to name your field "query". I have no idea if this is even documented.
YOU ARE AMAZING
It does get touched on in the docs a bit. http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork under the section titled "change the format of subsearch results" (which is now that I look at it, a bit of a misleading title for this info).
Thanks! That's pretty close to what I want. I'll have to parse cs_uri_stem to remove the rest of the path for the file name. I have never seen anything about renaming teh field to "query" but if it works...