- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- scheduled report based on X number of search resul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scheduled report based on X number of search results
i have a query template already made.
i want to run this query on X (the number will change all the time) amount of distinct description that are being returned through another query.
how can i do that?
query that run on every distinct description:
index="event_raw_data" description="somedescription" | fillnull value="NO Description" description | timechart count by description useother=f
query that return the description:
index="event_raw_data" | table description | dedup description
i want to combine the two so that the first query will run on every distinct result of the first
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to program the first search by using the second search as a subsearch like this:
index="event_raw_data" [index="event_raw_data" | stats values(description) AS description] | timechart count by description useother=f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as creating/using one search as a template for another search, carefully read about savedsearch and all that it can do in this regard using placeholders:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is what map is for, but beware of dangerous scaling:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map
However, I strongly suspect that you are not accurately describing what you really need to do here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index="event_raw_data" [search index="event_raw_data" ..other search terms if any...| stats count by description | table description]
| timechart count by description useother=f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hope i understand your question
try this:
index="event_raw_data" description="somedescription" | timechart limit=0 count by description
let the timechart command dedup for you
as a side note, its always better to dedup before table
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
