Re: Can you help me with a search query using the ...

anandhalagarasa · ‎04-02-2019

Hi Team,

I have a query to segregate and provide the data in a table format in Splunk Enterprise.

index=xxx sourcetype="xyz" "ERROR" |table index, sourcetype, Level

In this search query now, i am getting a table format with index sourcetype and Level information in a perfect manner. But I also want to display in the table format the search query also i.e. (index=xxx sourcetype="xyz" "ERROR" )

So how can i get the data something like:

index  sourcetype level query

kamlesh_vaghela · ‎04-02-2019

@anandhalagarasan

Can you please try this search?

index=xxx sourcetype="xyz" "ERROR" 
| table index, sourcetype, Level 
| addinfo 
| map search=" | rest splunk_server=local count=0 /services/search/jobs | search sid=$info_sid$ | eval sourcetype=$sourcetype$,index=$index$, Level=$Level$| table index sourcetype Level title | rename title as query"

Here, I have used map. Ref:https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/map

I have tried with below sample search.

index="_internal" | stats count by sourcetype | addinfo | map search=" | rest splunk_server=local count=0 /services/search/jobs | search sid=$info_sid$ | eval sourcetype=$sourcetype$,count=$count$| table title sourcetype count"

Thanks

anandhalagarasa · ‎04-04-2019

The query seems to be not working fine as expected.

Can you help me with a search query using the table command?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector