- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- connect/concatenate two searches into one and visu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have two searches:
Search A: BGP_NEIGHBOR_STATE_CHANGED source="udp:514" AND ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm" | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
Search B: BGP-5-ADJCHANGE source="udp:514" Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
I want to connect these two searches into one and represent it as a single value.
I've tried sth like this:
((BGP_NEIGHBOR_STATE_CHANGED ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") OR (BGP-5-ADJCHANGE Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor)) AND source="udp:514" | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
But I get error: Error in 'search' command: Unable to parse the search: unbalanced parentheses.
Is there a way to connect/concatenate two searches into one and visualize this as a single value?
Best Regards,
C4r7m4n
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Ayn
Yes, You were right I didn't notice the search word.
I've changed this and it's worinking but I don't know why it's counting 2 time more 😞
This is my changed search:
BGP_NEIGHBOR_STATE_CHANGED source="udp:514" AND ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") | append [search BGP-5-ADJCHANGE source="udp:514" Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor] | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
With code: stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
it's counting to 6 instead 3. Do you have any idea why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Ayn
Yes, You were right I didn't notice the search word.
I've changed this and it's worinking but I don't know why it's counting 2 time more 😞
This is my changed search:
BGP_NEIGHBOR_STATE_CHANGED source="udp:514" AND ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") | append [search BGP-5-ADJCHANGE source="udp:514" Down | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor] | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
With code: stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
it's counting to 6 instead 3. Do you have any idea why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
source="udp:514" ((BGP_NEIGHBOR_STATE_CHANGED ("Established to Idle" OR "Established to Active" OR "Established to OpenConfirm") OR (BGP-5-ADJCHANGE Down)) | rex field=_raw "neighbor (?<neighbor>.*)" | table neighbor | dedup neighbor | stats count as BGP_DOWN | rangemap field=BGP_DOWN low=0-0 elevated=1-1 default=severe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @dart
Your code doesn't work for me. I have the same error as befor: Error in 'search' command: Unable to parse the search: unbalanced parentheses.
Secondly, i think it cannot work because in Search A there is not word neighbor so if you concatenate two first searches and the try to search regexp by neigbour, then when search A occure the regexp will not filtr this.
I don't know if I wrote this clearly...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use append for this.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the start of a search within [ ] to need to use the word search. I suspect you have copied and pasted your original search into the brackets.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Ayn
I tried a couple of seconds ago what you have sent me and I've got error:
Search operation 'bgp' is unknown. You might not have permission to run this operation.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
