Splunk Search

Can I reuse subsearch results for two panels in a form?

steveta_uk
Explorer

I am trying to develop a view that allows the user to select two time periods, then determine what changes have been made to a particular field between these two periods. For example, to determine what hosts were in use last week and not this week, and vice versa.

The search is easy enough, basically the two result sets are given by these search strings:

sourcetype="syslog" earliest=-14d latest=-7d NOT [search sourcetype="syslog" earliest=-7d latest=-0d | fields host | dedup host] | fields host | fields - _* | dedup host

sourcetype="syslog" earliest=-7d latest=-0d NOT [search sourcetype="syslog" earliest=-14d latest=-7d | fields host | dedup host] | fields host | fields - _* | dedup host

Is there a way to reduce this from 4 searches to 2, by somehow saving the subsearch and outer search results, and then comparing them as A NOT B and B NOT A ?

Tags (1)
0 Karma

steveta_uk
Explorer

Carasso, yes this was the solution I have adopted, but it has problems in a couple of areas. Firstly the pager in the results doesn't know the correct number of hits, so for example shows pages 1-10 where only pages 1-3 have any results in them, this is because the pager seemd to be based on the count of hits in the base search, not on the postprocess. Secondly, the progress bar is all wrong - I think possibly for the same reason.

0 Karma

steveta_uk
Explorer

A bit of advise would be useful here - I very often see problems answered by everyone being told to use the sideview utils. As I want to provide reporting that can be used against my product by any Splunk user, I had assumed that I should stick to the built-in Splunk function set, just as when developing UNIX apps I would try to use only the available OS interfaces and not expect end users to have to install other 3rd party packages to get things to work.

What do others do in these circumstances? Do you bundle Sideview utils with your apps? Or tell the end user they must install it first? What if the user has some reason to not want to install sideview? etc...

0 Karma

Ayn
Legend

The "PostProcess" module in Sideview Utils addresses precisely this issue.

0 Karma

steveta_uk
Explorer

Carasso, yes this was the solution I have adopted, but it has problems in a couple of areas. Firstly the pager in the results doesn't know the correct number of hits, so for example shows pages 1-10 where only pages 1-3 have any results in them, this is because the pager seemd to be based on the count of hits in the base search, not on the postprocess. Secondly, the progress bar is all wrong - I think possibly for the same reason.

0 Karma

steveta_uk
Explorer

Not sure this helps - I have two different base searches, and the same two searches as subsearches but swapped around, and what I'm trying to do is only run them once each but process the results in a different sequence.

0 Karma

carasso
Splunk Employee
Splunk Employee

you can write the results to a csv file after the first run and then read the results for the second.

0 Karma

bmacias84
Champion

I haven't tested this, but your base search might look something like. I might have my comparision operators incorrect. I also hope I understand what your tying to accomplish.


sourcetype="syslog" earliest=-14d latest=-0d | eval preweek = if(_time >= relative_time(now(), "-14d@d"), host, null())|eval preweek = if(_time <= relative_time(now(), "-7d@d"), host, null())|eval curweek = if(_time >= relative_time(now(), "-7d@d"), host, null())|eval curweek = if(_time <= relative_time(now(), "0d@d"), host, null())| dedup curweek, preweek | field curweek, preweek

Cheers,

0 Karma

bmacias84
Champion

Yes, I would create a base search with some post process searches. Hopfully this get you started.

http://docs.splunk.com/Documentation/Splunk/latest/Developer/PostProcess

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...