Splunk Search

SET UNION problem with time reporting

pinzer
Path Finder

Dear All,

I'm doing a search with a set UNION, like this:

| SET UNION [SEARCH FOO | FIELDS fields IP, count] [ SEARCH BAR | FIELDS fields IP, count]

I can correctly see the list of IP, count but I cannot see nothing on timeline.

I'd like to have a timechart that indicate on X-axis the timeline and on Y-axis the number of events of Search FOO + number of events of Search BAR.

How can I do to obtain this?

Thank you

Tags (1)
0 Karma

fedevietti
New Member

Thank you nick,

the problem is that in "foo" and "bar" we are using a "rename" function.

This is because foo search, without rename function, returns (EG) the following fields:

A, B

The bar search (without rename) returns:

A, C

We have to count by B in the foo search and by C in bar search, and then filter where count is > of 10.

Something like this:

"(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10"

but whe I use rename on a search that is the put in OR with another, I received a "Error in 'UnifiedSearch': Unable to parse the 'unbalanced parentheses' search." ERROR.

Any idea about how can we do a "(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10" search?

Thank you

0 Karma

araitz
Splunk Employee
Splunk Employee

Done and done and done.

0 Karma

sideview
SplunkTrust
SplunkTrust

You dont need the set command to do this, but I can see why you tried it first.

Just search for this:

( foo OR bar ) 

and then use eval and eval's 'searchmatch' function to paint a field on each row, denoting whether that row was matched by the 'foo' side or the 'bar side.

Assuming foo and bar are mutually exclusive then it's pretty simple. The following will show a timechart with two counts per time bucket . One count for the 'foo' events, one for the 'count' events.

( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | timechart dc(remote_host) by type

and if you just want an overall count, this will do it too:

( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | stats dc(remote_host) by type

If foo and bar are not mutually exclusive you might have to get a little fancier.

And if there is already a field in the data that always has one value for the 'foo' events, and another value for the 'bar' events, just put that fieldname in your 'by' clause and dont bother with the eval at all.

sideview
SplunkTrust
SplunkTrust

Agreed. I suggest deleting the other question since this account is slightly older.

0 Karma

ftk
Motivator

Please don't double post with different accounts.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...