Feed result from one search into multiple subseque...

wang · ‎04-23-2013

I want to get a list of ip and then feed that list into 3 subsequent searches that will each produce a count by column and end up with a table like:

ip countA countB countC

1st search:  index=test source=ip-log ip | table ip | sort ip
2nd search:  index=test source=logA *ip-list-from-1st-search* patternA | stats count as countA by ip
3rd search:  index=test source=logB *ip-list-from-1st-search* patternB | stats count as countB by ip
4th search:  index=test source=logC *ip-list-from-1st-search* patternC | stats count as countC by ip

I can combine the 1st and 2nd search with subsearch and produce a table ip, countA. But I don't know how to chain in the 3rd and 4th searches since their events only have ip but not countA.

I've also played with appendcols but the problem there is I have to re-execute the 1st search for every appendcols subsearch.

So how do I pass the result of the 1st search into 3 subsequent independent searches and stitch the columns into one table?

Ayn · ‎04-23-2013

Are you using this for a dashboard of some sort? In that case I suggest you look into using postprocessing for achieving this.

Otherwise you could put your pattern matching into the stats command using eval operators. Like this:

index=test (source=logA AND patternA) OR (source=logB AND patternB) OR (source=logC AND patternC) [search index=test source=ip-log ip | fields ip] | stats count(eval(searchmatch(patternA))) as countA, count(eval(searchmatch(patternB))) as countB, count(eval(searchmatch(patternC))) as countC by ip

Feed result from one search into multiple subsequent searches

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!