- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: intermediate storing of the results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
intermediate storing of the results
Hello,
I have a dbxquery, that returns a table, where I am interested in one column, let us say c1.
Then in my search I have to unfortunately execute the map command, that wipes all the variables set before, also the c1.
The above steps I have to iterate several times.
How would I store the columns c1, .... cN and extract them at the end of my search?
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@damucka Can you share your existing query? Essentially you will be using the token c1 from your main query in the map search and assign it to a new field...
<yourSearchWhichReturnsC1Field>
| map search="search <yourSearchHereWhichReturnsRequiredResults>
| eval c1=$c1|s$"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @niketnilay
i would still need help with this.
I have following map command to test:
| eval host_to_trigger = "ls5979"
| eval decision = 1
| where isnotnull(host_to_trigger) and isnotnull(decision)
| map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/ICP/HDB02/$host_to_trigger$/trace/DB_ICP/iAlerting_rtedump_ANOMALY_$triggertime$.trc','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_ICP\" | eval decision=$decision$ "
and the decision variable is not visible afterwards.
Could you please advise?
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please change your answer into reply, that I can accept it?
Your solution would solve the issue as well of course.
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I got the point.
The thing is however, that these are possibly more columns than only c1 and also there are more map commands in between. Then passing more and more results over the map command will make it a bit difficult to read.
I think I will use:
| outputtext usexml=false | fields - _raw | outputcsv sql_output.txt
to store the results and then inputcsv to restore the variables at the end.
Thank you for your help.
Kind regards,
Kamil
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
