How to assign inner search returned value from sou...

priyanka_yadav · ‎05-02-2016

How to assign inner search returned value from source1 to outer search field from source2?

Inner search:

index=apic component=faultInst |  eval cT = strptime(created, "%Y-%m-%dT%H:%M:%S.%3N") | eval early = relative_time(cT,"-1m") | eval c1 = strftime(early,"%m/%d/%Y:%H:%M")| table c1

Outer search:

index=apic component=aaaModLR |eval created=c1 | table created,affected

Here I want c1 value from inner search to get assigned to outer search, and based on the c1 value match, I need to print created and affected fields from the aaaModLR source.

Your help will be highly appreciated. Thank You!

MuS · ‎05-02-2016

Hi priyanka_yadav,

for multiple reasons you should not use join or subsearches, like the event limits and performance - get more details here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or from the virtual .conf session of @sideview March 2016 http://wiki.splunk.com/Virtual_.conf

Back to your search; this should be pretty straight forward since you're only search in one index over one field:

 index=apic component=faultInst OR component=aaaModLR
| eval cT = if(component ="faultInst", eval(strptime(created, "%Y-%m-%dT%H:%M:%S.%3N")), null()) 
| eval early = if(component ="faultInst", eval(relative_time(cT,"-1m")), null()) 
| eval c1 = if(component ="faultInst", eval(strftime(early,"%m/%d/%Y:%H:%M")), null())
| eval created = if(component ="aaaModLR", c1, null())
| where created = c1
| table created, affected

This is un-tested and written up after only one coffee 😉

What it does is the following:

get all your results from the index match the component field

index=apic component=faultInst OR component=aaaModLR

the next steps are only executed if the component matches faultInst

| eval cT = if(component ="faultInst", eval(strptime(created, "%Y-%m-%dT%H:%M:%S.%3N")), null()) 
| eval early = if(component ="faultInst", eval(relative_time(cT,"-1m")), null()) 
| eval c1 = if(component ="faultInst", eval(strftime(early,"%m/%d/%Y:%H:%M")), null())

the next step is only executed if the component matches aaaModLR

| eval created = if(component ="aaaModLR", c1, null())

compare the fields values of created with c1

| where created = c1

return a table with created and affected only if created matches c1

| table created, affected

Hope this helps ...

cheers, MuS

MuS · ‎05-02-2016

Little update on this: It could be that you will have to add somewhere along the search a streamstats or filldown to provided the additional fields further down the search stream....but without real event examples it's hard to tell 😉

cheers, MuS

somesoni2 · ‎05-02-2016

How many entries you'd get from inner search?
Could you provide more details on how value c1 be used on Outer search? How is field created and affected calculated generated?

patrick_muller · ‎05-02-2016

what you want is join two search whit the same field/value ?
something like this?

index=apic component=faultInst |  eval cT = strptime(created, "%Y-%m-%dT%H:%M:%S.%3N") | eval early = relative_time(cT,"-1m") | eval c1 = strftime(early,"%m/%d/%Y:%H:%M")| table c1 | join c1 [ index=apic component=aaaModLR |eval created=c1 | table created,affected, c1]

http://docs.splunk.com/File:Join.png

How to assign inner search returned value from source1 to outer search field from source2?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms