Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to iterate through lists of values in Splunk?

pramit46
Contributor
‎12-04-2016 10:02 PM

I have two lists in my dashboard which are inter dependent. I need to iterate through each list values of L1 and put them in another search to get another list ,and then group them together to show them on the dashboard.

Let's say query Q1 returns the list L1, where each value has multiple values associated with the second list L2. So I want to use each value of L1 and use them in another query Q2, that would return L2. and then group them by each value of L1 and show it in an individual block.

L1.V1 (outcome of Q1):
|L2.v1 (outcome of Q2)|
|L2.v6 (outcome of Q2)|
|L2.v7 (outcome of Q2)|

L1.V2 (outcome of Q1):
|L2.v2 (outcome of Q2)|
|L2.v4 (outcome of Q2)|
|L2.v5 (outcome of Q2)|

Any idea, how to achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2016 11:57 PM

Hi pramit46,
I think that values in both the searches are related to a field (e.g. Key) if field name is different in the two searches, you must rename it in the sub search.
So you should try something like this:
Search2 [ search search1 | rename Key1 AS Key | fields Key] | stats values(L2) AS L2 count by Key

It is different if values of L1 aren't in a field, so you can use L1 to search in L2 but it's more difficoult to Group by, every eay try something like this:
Search2 [ search Search2 | rename Key1 AS query | fields query | stats count by Key2
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2016 11:57 PM

Hi pramit46,
I think that values in both the searches are related to a field (e.g. Key) if field name is different in the two searches, you must rename it in the sub search.
So you should try something like this:
Search2 [ search search1 | rename Key1 AS Key | fields Key] | stats values(L2) AS L2 count by Key

It is different if values of L1 aren't in a field, so you can use L1 to search in L2 but it's more difficoult to Group by, every eay try something like this:
Search2 [ search Search2 | rename Key1 AS query | fields query | stats count by Key2
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎12-05-2016 10:23 AM

Thanks @cusello. It helped. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...