To return all of the events from the host crashy, you need to run a second search. Assume that the result is the host named crashy. Sourcetype=syslog earliest=-1h | top limit=1 host | fields host The following search identifies the most active host in the last hour. You could run two searches to obtain the list of events. The most active host in the last hour.You need to identify the most active host before you can return the events from that host. The host that was the most active might be different from hour to hour. The single piece of information might change every time you run the subsearch.įor example, you want to return all of the events from the host that was the most active in the last hour. You use a subsearch because the single piece of information that you are looking for is dynamic. How subsearches workĪ subsearch looks for a single piece of information that is then added as a criteria, or argument, to the primary search. Keep this in mind if you include subsearches in searches that are run frequently and you are concerned about search concurrency issues or excess load on your search scheduler. Then it runs the search that contains it as another search job. When a search contains a subsearch, the Splunk software processes the subsearch first as a distinct search job. One exception is the foreach command, which accepts a subsearch that does not begin with a generating command, such as eval. For a list of generating commands, see Command types in the Search Reference. The first command in a subsearch must be a generating command, such as search, eventcount, inputlookup, and tstats. The subsearch portion of the search is enclosed in square brackets. Sourcetype=access_* status=200 action=purchase | stats count, dc(productId), values(productId) by clientip Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch typically runs first. A subsearch is a search within a primary, or outer, search.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |