Use the case function to assign a number to each unique value and. Then you'll be able to run very efficient lookups to go from ID to address for your searches going forward.īasic idea is same as #1, except you tack something like | outputlookup employeeAddresses on the end. Splunk Sort By Multiple FieldsDescription: List of fields to sort by and the sort order. (index=b sourcetype=stb empAddress=* empID=* ) OR (index=a sourcetype=sta employeeID=*) | eval empID=if(isnotnull(employeeID),employeeId,empID) | stats values(empAddress) by empIDĢ) If the search above seems to slow (because it gets many events off disk), then just run it once, or maybe once a day/week, to put the employeeID to EmpAddress mapping in a file based lookup. Therefore I think your hypothetical subsearch would look like: index=b sourcetype=stb table empID empAddress]īut again, the inner search will get truncated at 50,000 rows as you say so you can't use subsearches, join, append, etc.ġ) Just get all the events and let stats sort them out. The "first" search Splunk runs is always the inner one, and if I'm reading your question right that would be the index=a sourcetype=sta search. How do you return multiple fields and then search further only using one of the fields (src in this. I do however think you have your subsearch syntax backwards. Im having problems with subsearch and returning values. Well if you're trying to get field values out of Search A index=a sourcetype=sta, and you want to use the field values in there to run another search B, and A might run into the millions of rows, then you can't use a subsearch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |