![]() The filenames contain the source that we received the file from, and have a three digit sequence number as a suffix. We receive several hundred files per day from 20 different sources. I am sure its something simple I am missing. How to pass base search results to subsearch. Here is what the dashboard panel looks like. |stats count by ActionTaken, Status, _time |timechart span=1d count(Status) by ActionTaken | append | Index=sophos sourcetype="sophos:threats" | regex FullFilePath!="eicar" | regex FullFilePath!="pagefile.sys" | eval _time=strptime(InsertedAt,"%Y-%m-%d %H:%M:%S.%N") |rename user as User |search (Status="Cleanable" OR Status="Not Cleanable" OR Status="Cleanup failed" OR Status="Threat type not cleanable") is the sub search. Subsearches in Splunk are contained in square brackets and evaluated first. Using Job Inspector, the eventSearch field is filled like this: search eval customer'client01' lookup usecases.csv customer OUTPUT customer usecasedatasource fields + usecasedatasource search. mymacro (client01) indexusecasedatasource. By itself its fine, the base search, then sub search misses one catagory, but when going to the search on that panel, the catagory is there in the chart. A subsearch is a Splunk search that uses a search pipeline as the argument. Search: The field returned by the macro, should fill the index field in the search. The issue I am experiencing is one of the panels is a graph for the desktop lead. Dashboard takes data from two products, gives a near real time refresh of status. This is because both commands make use of a subsearch (the content between the square brackets). ![]() Although these commands are widely used, they’re not the most efficient. One of the best ways to minimize the number of trips to the indexers is to avoid using the join and append commands. I am trying to convert a Antivirus dashboard used by the desktop team to a base search, in hopes to improve performance and be less of a hit on the search heads. Minimize the number of trips to the indexers. Hello, New to using base searches, and could not find the answer to my issue. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |