7/22/2023 0 Comments Splunk base subsearch inputWhen a search contains a subsearch, the subsearch typically runs first. ![]() Thanks cmerriman, I did see a similar answer in this forum, but I couldn't get it to work. A subsearch is a search within a primary, or outer, search. | eval filename=if(isnull(filename),"Missing File!",filename) The Splunk for Microsoft Windows add-on includes predefined inputs to. Splunk Enterprise Version 9.0.5 (latest release) Documentation Splunk Enterprise Admin Manual nf Download topic as PDF nf The following are the spec and example files for nf. Use the subsearch two times should be a workaround, but if I want three or more, I believe there should be a solution. My base search which extracts filenames and the times that they arrived The append command is used to add the result of the subsearch to the bottom of the. If not, is there another strategy that I could use to detect missing files? is there a way to pass base search results to subsearches? I see that this question has been asked a few times in this forum, but none of the questions I viewed have accepted answers, and none of them were trying to use the same technique. However, it seems that the subsearches are unable to read my base search. (please see a cut-down version of the code below) To make the dashboard more efficient, I'm trying to implement a base search to list the files from all sources, which I then want to pass to my subsearches - I have to use subsearches because of the makeresults which generates the full list of sequence numbers. Occasionally a file gets lost in transit, so I have designed a dashboard with 20 panels (one for each source) to highlight missing files by doing a makeresults and then a streamstats to generate a list of sequence numbers, and then a join to a search which extracts the sequence numbers from the filenames received, and then any sequence numbers that are not 'joined' to a filename are flagged as missing files. ![]() The filenames contain the source that we received the file from, and have a three digit sequence number as a suffix. We receive several hundred files per day from 20 different sources.
0 Comments
Leave a Reply. |