Splunk Search

How to calculate state based on values from many searches

prsepulv
Explorer

I'm using a dashboard to display the state of some services. For this purpose, I must takes single values from many searches to obtain a final value, like value = valu1 * value2 * value3 ... valuen
The searches are like:

Search1:

search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1 
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value1=State_01*State_02* ...    *StateNN

Search2:

search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1 
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value2=State_01*State_02* ...    *StateNN

SearchN:

search index=indexN sourcetype=sourceN earliest=-30m latest=now() | head 1 
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval valueN=State_01*State_02* ...    *StateNN

and finally,

| eval value=value1*value2*...*valueN

Each search works fine separately, but not together. I was using join, like this:

search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1 
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value1=State_01*State_02* ...    *StateNN
| join value2
[ search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1 
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value2=State_01*State_02* ...    *StateNN ]
| eval value=value1*valu2

And Splunk keeps telling me No results found. What I'm doing wrong?

Regards,

Pedro

0 Karma
1 Solution

prsepulv
Explorer

I found an answer on this link https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html
It works, like a charm...

Thank you very much to all.

Regards

View solution in original post

0 Karma

prsepulv
Explorer

I found an answer on this link https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html
It works, like a charm...

Thank you very much to all.

Regards

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi prsepulv,
let me understand, why don't you use a only one search with OR clause? in this way you haven't subsearches limit.

(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now()
 | rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
 | eval value1=State_01*State_02* ...    *StateNN

Then you can calculate the things you want and display the values you like, e.g. if you want some Single Values panel that display the first value (or max or sum) for each index, you can run

(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now()
| rex field=_raw "State 1 (?<State_01>.),(?<State_02>.)...(?<State_NN>.)"
| eval value=State_01*State_02* ...    *StateNN
| stats first(value) AS value BY index

so you can display it in a panel or in multiple Single Panel using Trellis.

Bye.
Giuseppe

0 Karma

prsepulv
Explorer

I tried to use it, however I calculate values from fields extracted with regex and apparently I can use only one rex field=_raw extraction by query. If I try to use a second regex extraction, the previous data, extracted and calculated, are gone. Also the records of each search have differents lenghts and don't have any relation between them.

0 Karma

Anantha123
Communicator

Hi,

Joins are used to join 2 different search with common variable . In this scenario value* is some thing you are calculating for each search . So you should use appendcols instead of join .

0 Karma

prsepulv
Explorer

I'm trying to use appendcols, the problem is that values calculated inside subsearch aren't shared to main search. In each subsearch I find the last register and parse it with regex. And with the parsed data I calulate a single value. After that I would like to use that value on main search, with anothers values to calculate a main value.
The different subsearchs are absolutely independents between them and doesn't share none data. Also lenght of registers is differente in each subsearch.

Regards

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...