The reason why it's more efficient to limit what hits the transaction command is that transaction is very slow. One bit of minutia is that depending on the number of threads that are re-used, you might need to re-run the limiting search at the end: That should give you a shortcut to a transaction that includes only the threads that have failed nonces. What is more efficient, though, assuming that the nonce failure messages also reference the thread field, is to first isolate the failure threads, and then search for the transactions where they're there: | transaction thread startswith="startTx" endswith="closeTx" You can then do a subsearch first for the failure nonces, and send that to the main search: sourcetype="log4j" source="*server*" Start by removing the second line of the multisearch (since comparing site to site will always be true), and using upper() and match(): index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.The right way to do it is to first have the nonce extracted in your nf (this simplifies the rest), such as: ĮXTRACT-nonce-failure = Failed with nonce (?*)ĮXTRACT-nonce-created = nonce created : (?*) Help!įirst, I think what you're looking for is the value of site to match request_type (in the initial multisearch search line) - but what you're actually checking for in the where clause is whether the text "site" equals the text "request_type". If you are new to Splunk software, start here The Search Tutorial guides you through adding data, searching, and creating simple dashboards. But when I run the whole query I get no filtering at all. I get empty results for all but the 'where "site" = "site"' search. What am I missing here? When I execute each part of the multi-search separately, the results are correct. This query and the one above give the same result. Splunk, Splunk>, Turn Data Into Doing, and. So, if your subsearch only emits a single field, nonce, then it will yield a search expression like: noncerow1nonce OR noncerow2nonce OR. The Search Tutorial guides you through adding data, searching, and creating simple dashboards. index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 The output of a subsearch is a valid search expression that will match an event when it matches all the fields of any of the rows of the subsearch. the results of this query are equivalent to no search at all and I basically do not filter anything.
#Splunk subsearch tutorials how to
Part 6 shows you how to save and share your searches and explores more detailed search examples. | timechart cont=FALSE span=hour sum(success) by request_typeīUT. In the last few Parts of this tutorial, you learned the basics of searching using the Splunk software, how to use a subsearch, and how to add fields from lookup tables. [search scope=site request_type="*" site="RTP" zone="*" cluster="*" [search request_type="*" site="RTP" zone="*" index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 Search after token substitution with literal values. | timechart cont=FALSE span=$span_token$ sum(success) by request_type So that if the scope was site, only the results from the site search would be shown.Īctual Search: index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 I wanted to use multi-search to coalesce the results of 4 different searches. 2) The result of the subsearch is used as an argument to the primary or outer search. The scope is set with a dropdown and passed in as a token. splunkgeek - Ap4162 0 Spread our blog SUBSEARCH Definition: 1) A subsearch is a search that is used to reduce the set of events from your result set. The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster).
0 kommentar(er)
