Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using a $variable$ in the output of a mapped search

a238574
Path Finder
‎09-17-2019 05:49 AM

I am running a search that gets a list of accounts, multiple records that can have multiple accounts in each event. I need to find all accounts that are not valid. what I have so far produces results but I cant figure out how to get the $acctid$ in the output. Right now I just get 2 records in the stats page show a 0 for each one but no way to show the content of the $acctid$. I have manually checked and the number is correct I have 2 bad accounts.

Basic search is

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0"

The 1st half of the search produces

eventID                                acctid
15326ca3-d4ce-421f-aa07-457fcc7c5df1    12345678
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027    04341234568
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027    34491234568
9d807652-8b16-4a1a-a985-236c8409b73c    12345678
c5e8b181-4440-4af3-8687-805522ab67e8    04341234568
e539d095-8664-4c68-99ba-1ef1329ec78d    34491234568
ebf27592-2741-4093-b035-eaf3d1ecc4ee    04341234568

I know the 1st and 4th entry are bad accounts and the map command produces 2 results but just shows the zero from the count. How do I get the contents of either the acctid or eventId in the results

count
0
0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

a238574
Path Finder
‎09-17-2019 06:45 AM

Found the answer... eval was the key

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0  | eval eventID=$eventID$ | stats list(count) by eventID"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-17-2019 08:56 AM

The stats command only returns the fields requested - in this case just 'count'. Try ... | stats count by acctid | ....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

a238574
Path Finder
‎09-17-2019 06:45 AM

Found the answer... eval was the key

index=events  eventName="testevent" |  spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0  | eval eventID=$eventID$ | stats list(count) by eventID"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...