![]() ![]() (Click "edit" under your question and add your examples to your question that way.) If you would post an example or two of each of your parent and child events then a more specific example search could be provided. I'm not 100% sure I understand what you are trying to accomplish exactly, but there are a few ways to attach different searches together. See these links for details on creating your own custom search command: Search to get parent1 and child1.n | mynewsearch | stats values(child) by parent See this page for detail on using stats command and the functions:įinally, if all these options fail to get you what you want, you can always create your own custom command to process your search results the way you intend, similar to this: ![]() Some search terms here to get parent1 and child1.n | stats list(child) by parent See this page for more details on the search command:Ī third feature you could try is using the stats command with a list function, such that you group your child1.n to your single parent1, like this maybe: Įssentially applying one or more additional conditions AFTER your search results are returned. search for parent1 and child1 | search child1> 5 |. The second feature is merely piping to a search command again to further filter down results obtained from a previous search (i.e. See this page in our online doc on how sub-search feature works: Your description is somewhat vague to me, but I think I understand the overall gist of what you are wanting to do and I'm thinking you may want to take a look at a couple Splunk features (links provided below) to see if one of them works for you.Īs mentioned already (in the answer above) the first feature is called sub-search and is used when you want to search your data to get back some preliminary results that you intend to include (pass into) an outer search, essentially. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |