I would like to have the result displayed as follows total, android and ios. > index=I2 source=S2 sourcetype=ST1 host=H1 "searchCriteria2" earliest=-1hr latest=now | timechart span=5m count by host I would like to combine both searches into one.Ĭurrently each of my searches look like the following (some filters are the same) > index=I1 source=S1 sourcetype=ST1 host=H1 "searchCriteria1"earliest=-1hr latest=now | timechart span=5m count by host The log file for each platform unfortunately uses a different identifier for login behavior. Line 1 selects the data you are targetting and is augmented by what the subsearches pass to it.I am attempting to use Splunk to search two log files that hold activity for two platforms of an application "IOS" & "Android".Line 14, you already know, closes the subsearch.Line 13 passes the found messageID's to the outermost (main) search in a such a way that they become part of the search string.Line 12 again limits things to the field we need.Line 11 again is a way to dedup the messageID's.This is, of cause, augmented by the enclosed subsearch we've just discussed. Line 3 selects the events from which we can get the messageID's.Now let's have a look at the outer subsearch. Line 10, of course, closes the innermost subsearch.Line 9 passes the results back to he enclosing search in a way so it can be used as part of the search string.They would be problematic with the following format command. Line 8 gets rid of all the fields we don't require.Line 7 is a different way to deduplicate by bcSender and at the same time reduce the amount of data which needs to be sent back from indexers to the searchhead (if you have a distributed environment).We need the fieldname to be bcSender for the outer search. (We could extract it to the field from first and then rename it, but this is more direct.) Line 6 extracts the addresses directly into the field bcSender.Line 5 selects the events in from which you generate the address list.Let's start from the innermost subsearch. I can not really verify it without having your data, but I'll try to explain what it's supposed to do. Index=mail sourcetype=sendmail_syslog rex field=from ".*)>" Try something along these lines: index=mail sourcetype=barracuda bcSendAction=1 This sounds like you need a subsearch (for getting the sender addresses) inside of another subsearch (for getting the messageID's), meaning your own attempt was pointing in the right direction already. use these messageID's to finally get the events you are looking for.use these sender addresses to get a list of messageID's from index=mail sourcetype=barracuda.get the sender addresses from index=mail sourcetype=sendmail_syslog. If I understand your request properly, then you need 3 steps: I don't know that I am referencing the email from the first result set correctly.Ĭan someone point me in the right direction with how to approach this search? My attempt at this was something like: index=mail sourcetype=sendmail_syslog rex field=from ".*)>" I followed a few emails and tutorials, but a lot of the joins I was seeing only used two different sources/datasets and didn't use the search as I did in my first query. I was able to parse the log and pull out just the email addresses that I want to use to plug into my first search. I would like to use the result of this (the email value) in the first search so that I don't have to hard-code the bcSender, but rather have it use the results from the other source. Now, my other search is a log that shows all of the sender email addresses during a certain time period. Index=mail sourcetype=barracuda bcSendAction=1 This allows me to search through the mail logs by sender address and show all emails with a bcSendAction=1, which is a successful send. I am trying to join this data together so I can create some type of chart, but I am unsure of this would be a join/search etc. I have two data sources and was given a query to pull data from them individually. Full disclosure, I am very new Splunk so I may explain my question incorrectly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |