John
Reputation: 119
splunk map pass multiple values
I want to create an alert based on the following search:
- search string "a.string"
- extract field xx, yy
- then search "another.string" AND xx
- then extract field zz
- |table xx, yy, zz
Here is what I came up with (removed other fixed strings in the rex lines):
index=* "a.string"
| rex field=_raw "(?P<xx>\S+) (?P<yy>\S+)"
| map maxsearches=100 search="search index=* "another.string" AND $xx$
| rex field=_raw (?P<zz>\S+)"
| eval temp_xx=\"$xx$\"
| eval temp_yy=\"$yy$\""
| eval xx=temp_xx
| eval yy=temp_yy
| fields - temp_xx
| fields - temp_yy
| table xx, yy, zz
everything works well, including I got values for xx, zz in the final search result table.
Except, However in that final search result table yy is always empty.
I can see all the multiple values for xx, yy, zz when clicking "Events" tab on the Splunk webgui, so that means my both searches were successful.
But why I can't get the values for yy in the final search result table, and how to resolve?
Upvotes: 1
Views: 296
Answers (1)
warren
Reputation: 33453
You might try something like this (presuming you have a common field like hostname in each event):
index=ndx sourcetype=srctp ("a.string" OR "another.string")
| rex field=_raw "some text that exists in events with a.string (?<xx>\S+) (?<yy>\s+)"
| rex field=_raw "other text found with another.string (?<zz>\S+)"
| fields xx yy zz hostname
| stats values(*) as * by hostname
| where isnotnull(xx) AND isnotnull(zz)
Upvotes: 0
Related Questions
- Splunk search query to create a table from JSON search result
- Getting value from splunk search result to Email Alert Message
- Extracting fields from logs using rex
- Splunk - Split a field into multiple fields based on delimiters
- splunk date time difference
- Splunk rex: extracting repeating keys and values to a table
- Splunk Regex: Unable to extract data
- Splunk how to combine two queries and get one answer
- Splunk subsearch for regex outputs