Likewise, a time range specified directly in a subsearch applies only to that subsearch. However, time ranges specified directly in the base search do not apply to subsearches. Time ranges selected from the Time Range Picker apply to the base search and to subsearches. The main search returns the events for the host. The result of the subsearch is then provided as a criteria for the main search. The subsearch in this example identifies the most active host in the last hour. The subsearch is in square brackets and is run first. You can combine these two searches into one search that includes a subsearch. You must run the first search to identify the piece of information that you need, and then run the second search with that piece of information. The drawback to running two searches is that you cannot set up reports and dashboard panels to run automatically. To return all of the events from the host crashy, you need to run a second search. Assume that the result is the host named crashy. Sourcetype=syslog earliest=-1h | top limit=1 host | fields host The following search identifies the most active host in the last hour. You could run two searches to obtain the list of events. The most active host in the last hour.You need to identify the most active host before you can return the events from that host. The host that was the most active might be different from hour to hour. The single piece of information might change every time you run the subsearch.įor example, you want to return all of the events from the host that was the most active in the last hour. You use a subsearch because the single piece of information that you are looking for is dynamic. How subsearches workĪ subsearch looks for a single piece of information that is then added as a criteria, or argument, to the primary search. Keep this in mind if you include subsearches in searches that are run frequently and you are concerned about search concurrency issues or excess load on your search scheduler. Then it runs the search that contains it as another search job. When a search contains a subsearch, the Splunk software processes the subsearch first as a distinct search job. One exception is the foreach command, which accepts a subsearch that does not begin with a generating command, such as eval. For a list of generating commands, see Command types in the Search Reference. The first command in a subsearch must be a generating command, such as search, eventcount, inputlookup, and tstats. The subsearch portion of the search is enclosed in square brackets. Sourcetype=access_* status=200 action=purchase | stats count, dc(productId), values(productId) by clientip Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch typically runs first. If you use a wildcard for the value, NOT fieldA=* returns events where fieldA is null or undefined, and fieldA!=* never returns any events.A subsearch is a search within a primary, or outer, search. The following search returns events where fieldA exists and does not have the value "value2". The following search returns everything except fieldA="value2", including all other fields. Searching with the boolean "NOT" comparison operator is not the same as using the "!=" comparison. | search sourcetype=access_combined_wcookie action IN (addtocart, purchase) 5. In the events from an access.log file, search the action field for the values addtocart or purchase. This example shows how to use the IN operator to specify a list of field-value pair matchings. | search host=webserver* status IN(4*, 5*) 4. | search host=webserver* (status=4* OR status=5*)Īn alternative is to use the IN operator, because you are specifying two field-value pairs on the same field. This example searches for events from all of the web servers that have an HTTP client and server error status. This example shows field-value pair matching with wildcards. | search (code=10 OR code=29 OR code=43) host!="localhost" xqp>5Īn alternative is to use the IN operator, because you are specifying multiple field-value pairs on the same field. This example searches for events with code values of either 10, 29, or 43 and any host that is not "localhost", and an xqp value that is greater than 5. This example shows field-value pair matching with boolean and comparison operators. This example shows field-value pair matching for specific values of source IP (src) and destination IP (dst). To learn more about the search command, see How the search command works. The following are examples for using the SPL2 search command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |