Splunk Search

How to use a field name from one search to perform another?

belladonna
New Member

Hello.

I want to make a dashboard with statistics about errors that happen in our application. I've made column chart with errorOperationsCount/operationsCount.
Then I've added 1 panel on my dashboard and I want to fill it with timechart of results of top-1 operation from first search. I want to make it through hidden search (so that I just complement the first search), but I don't know how to do it. Can you help me, please?

My current implementation:

1) chart with errorOperationsCount/operationsCount

index=prt 
 | chart dc(trackingId) over operation by result 
 | addtotals 
 | eval ratio = 1 - coalesce(OK,0)/Total 
 | fields operation, ratio 
 | sort limit=25 -ratio

2) first panel (I couldn't come up with how to do it through using result of first search)

index=prt result=* 
[search index=prt result=* 
| chart dc(trackingId) over operation by result 
| addtotals 
| eval ratio = 1 - coalesce(OK,0)/Total 
| sort limit=1 -ratio |fields operation]
|timechart span=1h count by result
0 Karma

sundareshr
Legend

Try this (beware of Post process limitations)

*For you base search*

<search id="base"><query>index=prt | eventstats c(trackingid) as total c(eval(result="OK")) as ok by operation | eval ratio=ok/total</query></search>

For your first chart*

<search base="base">
<query>stats max(ratio) as ratio by operation | sort 25 -ratio</</query></search>

*For your panel*

<search base="base"><search>eventstats min(ratio) as min_ratio | where ratio=min_ratio | timechart span=1h c by result</query></search>
0 Karma

belladonna
New Member

Thank you, sundareshr!
But I have result table like this

operation result
check 0.3
search 0.3
process 0.3

Which one of rows the "eventstats min(ratio) as min_ratio | where ratio=min_ratio" will resturn? I didn't write in my question, but I want to have 4 panels of top-4 error operations, not just 1. So I want to have some way to get the row number x and then make timechart for the operation number x. Thank you in advance for your attention to this matter.

0 Karma

sundareshr
Legend

eventstats works on all row. In this case, it is get the min(ratio) from all the rows a set that value to field min_ratio for all rows. For the 4 panels, you can use a combination of head & tail commands to get the specific row you need. So for the first panel, you will add head for the second row add head 2 | tail 1 for the third head 3 | tail 1 and for the fourth tail 1

0 Karma

belladonna
New Member

But

index=prt result=*
 | eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
 | eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio|head|timechart count(operation) by result 

doesn't return anything

0 Karma

sundareshr
Legend

That's because you have a stats command that does not include the _time field. Change the stats command to eventstats. So you search will look like this

index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
| eval ratio=1-okOp/totalOp
| eventstats max(ratio) as ratio by operation 
| timechart count(operation)max(ratio)  by result 
| sort 3 -ratio 
| head 1
0 Karma

DavidHourani
Super Champion

use a subsearch ?

0 Karma

belladonna
New Member

I use subsearch. But how can I use it so that I will use the result of first search?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...