Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Comparing Chart Results to field

jamie_leclair
Engager
‎03-31-2017 09:16 AM

This is my first time posting to the community, I hope this answer is not listed somewhere else.. if it is I have been unable to find it.

I create my own dashboards for everything and I am more or less trying to tackle my first data correlation attempt but so far have come up short.

The Dashboard I have created uses dynamically generated filters the field I am focused on at the moment is very simple; its "host" and it looks like this:

(Filter1)
$time_span$ index=$nexus_app_dc$ nexus_syslog_level=$nexus_loglevel$ $keyword$ | chart count by host

(THIS WORKS)

What I want to do is use the results of this chart to run another search against other data. I will provide an example

Lets say the chart comes back with the following:
"10.0.0.1"
"10.0.0.2"
"10.0.0.3"

I only want my next search to contain hosts that are in that list.. here is what I have so far:

$time_span$ index=dcxx_acs Address=$nexus_app_host$ | top limit=50 _time, User, Address, CmdSet | fields - count - percent

I guess in my mind I see it something like the following if I were to write it out manually

$time_span$ index=dcxx_acs Address=10.0.0.1 OR Address=10.0.0.2 OR Address=10.0.0.3| top limit=50 _time, User, Address, CmdSet | fields - count - percent

I hope at least some of this makes sense to some of you guys, any assistance is appreciated.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2017 11:03 AM

You just need to add your first search as subsearch filter in the second search. Since you're filtering based on a field name, the subsearch should return results with a field with same name (rename command added for that).

$time_span$ index=dcxx_acs [search $time_span$ index=$nexus_app_dc$ nexus_syslog_level=$nexus_loglevel$ $keyword$ | chart count by host | table host | rename host as Address ] | top limit=50 _time, User, Address, CmdSet | fields - count - percent
Reply

jamie_leclair
Engager
‎03-31-2017 11:14 AM

Wow, that worked... perfectly... I just spent the last hour playing with the map command without any luck.. You're a wizard sir.. and I thank you.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2017 12:32 PM

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...