Reputation: 31
How to add multiple queries in one search in Splunk
Need your assistance to add below queries in one query .. First Query:-
(index=abc OR index=def AND index!=ghi AND index!=jkl AND index!=mno AND index!=pqr)
| eval result=case(blocked=="0","Total Detection",blocked=="1","Total Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Total Detection",RuleAction=="Block","Total Blocked")
| stats count by result
Second Query :-
index=abc AND Category=* AND index!=ghi AND index!=jkl AND index!=mno AND index!=pqr
| eval result=case(blocked=="0","Allowed",blocked=="1","Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Allowed",RuleAction=="Block","Blocked")
| chart count by index, result usenull=f | append [search ( index=def AND index!=ghi AND index!=jkl AND index!=mno AND index!=pqr)
| eval result=case(blocked=="0","Allowed",blocked=="1","Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Allowed",RuleAction=="Block","Blocked")
| chart count by index, result usenull=f]
Upvotes: 0
Views: 5218
Answers (1)
Reputation: 33435
First, since index=... is unique, there is not reason to add the index!=... clauses. Data in Splunk can only exist in a single index (with a single sourcetype).
So your first SPL should read:
(index=abc OR index=def) (blocked=* OR RuleAction=*)
| eval result=case(blocked=="0","Total Detection",blocked=="1","Total Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Total Detection",RuleAction=="Block","Total Blocked")
| stats count by result
You second SPL should read:
index=abc Category=* (blocked=* OR RuleAction=*)
| eval result=case(blocked=="0","Allowed",blocked=="1","Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Allowed",RuleAction=="Block","Blocked")
note: | chart count by index, result usenull=f is only going to list abc for your index, since that's the only place data is coming from ... probably not an especially useful chart command here :)
| append
[ search index=def (blocked=* OR RuleAction=*)
| eval result=case(blocked=="0","Allowed",blocked=="1","Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Allowed",RuleAction=="Block","Blocked")
]
But why do the evals in the second SPL, since they're instantly being thrown away by chart?
This would be much simpler:
((index=abc Category=*) OR index=def) (blocked=* OR RuleAction=*)
| chart count by index, result usenull=f
But what are you actually trying to accomplish with the theoretical SPL?
As it stands ... you're going to get a two-item chart indicating counts from two indices.
Upvotes: 1
Related Questions
- how do i pass a result from one search into IN clause of another search in splunk?
- SPLUNK use result from first search in second search
- Splunk how to display multiple stats queries in table?
- Splunk search query syntax?
- Adding multiple expressions to single searchmatch in splunk query
- How to simplify Splunk search with duplicated query statements
- How to do compound query with where clause in Splunk?
- In splunk How to apply Multiple filter on splunk
- How to append two queries in splunk?
- How to combine two queries in Splunk?