In Splunk query I have two query like below
Query 1- index=mysearchstring1
Result - employid =123
Query 2- index=mysearchstring2
Here I want to use employid=123 in my query 2 to lookup and return final result.
Is it possible in Splunk?
It sounds like you're looking for a subsearch.
index=mysearchstring2 [ search index=mysearchstring1 | fields employid | format ]
Splunk will run the subsearch first and extract only the employid field. The results will be formatted into something like (employid=123 OR employid=456 OR ...) and that string will be appended to the main search before it runs.
Related
In logs we have a value "device=xyz,1" here we need to consider "xyz,1" as a single value and display it in a table format. But now when we run a query it just displays device value as "xyz" and misses out ",1". how to consider it as a single value.
Query example: ....|eval device = if(isnull(device), "notFound", device) | table device
from above query
Expection:
Table should have column name as device and value should be "xyz,1"
What is actually happening:
Table has column name as device but value is "xyz"
I have tried mvjoin but it's not helping.
Please suggest a solution
You may need to custom-extract the value (until you can get the sourcetype's props.conf and transforms.conf updated).
Something like this should work:
<search>
| rex field=_raw "device=(<device>\S+)"
<rest of search>
I am trying to implement a custom text search in lookerstudio (formerly datastudio) dashboard using a custom SQL query as the datasource and a paramater which will be a sentence to search on.
The sentence will be passed to a BQ remote function and the cloud function will return matching results.
So far I have mocked the cloud function to return a string of matching IDs as the BQ remote function expects the result length to match the call length.
'{"replies":["ID1,ID2,ID3"]}'
I have tried the following to get the results back initially:
#standardSQL
WITH query AS(SELECT "test sentence query" AS user_query)
SELECT
S.Description,
SPLIT(`data`.search_function(user_query)) as ID
FROM query
LEFT JOIN `data.record_info` AS S
ON ID = S.ID
The SPLIT IDs are coming out into 1 row ID (when I run the query without the left join). In addition I can't seem to get it unnested and the description column pulled in, I get the error:
Expecting 14552 results but got back 1
Is this method of search in datastudio going to be possible?
Posting this here in case anyone else needs a solution to this problem
WITH Query AS(SELECT "test sentence query" AS user_query)
SELECT
S.Description,
ID
FROM
Query,
UNNEST(SPLIT(`data`.search_function(user_query))) as ID
LEFT JOIN `data.record_info` AS S
ON ID = S.ID
The main difference here is the need for the inclusion of the UNNEST function since SPLIT won't separate the input into multiple rows, even if it appears to do so.
i'm having trouble creating a query that'll group together responses from multiple rows that share a similar name and count the specific response record in them.
the datatable i currently have looks like this
test_control
values
test
selected
control
selected
test us
not selected
control us
selected
test mom
not selected
control mom
selected
what i'd like, is an output like the below that only counts the number of "selected" responses and groups together the rows that have either "control" or "test" in the name"
test_control
values
test
3
control
1
The query i have below is wrong as it doesn't give me an output of anything. The group by section is where im lost as i'm not sure how to do this. tried to google but couldn't seem to find anything. appreciate any help in advance!!!
SELECT distinct(test_control), values FROM `total_union`
where test_control="%test%" and values="selected"
group by test_control, values
use below
SELECT
REGEXP_EXTRACT(test_control, r'^(TEST|CONTROL) ') AS test_control,
COUNTIF(values = 'selected') AS values
FROM `total_union`
GROUP BY 1
As mentioned by #Mikhail Berlyant, you can use REGEX_EXTRACT to match the expression and COUNTIF to get the count of the total number of matching expressions according to the given condition. Try below code to get the expected output :
Code
SELECT
REGEXP_EXTRACT(test_control, r'^(test|control)') AS test_control,
COUNTIF(values = "selected") AS values
FROM `project.dataset.testvalues`
group by 1
Output
I have a requirement to calculate a number value by using the results of two sql queries. I know this is possible in python etc but if I want to use the results of sql queries in say, apache superset, how can I achieve this?
For ex:
query1: select * from consumer;
result: 190 rows
query2: select * from producer;
result: 230 rows
value I need, called output : 190/230.
Is this possible using sub queries? How can I extract the output alone?
I'm trying to query all resources that has empty records on a specific column but I'm unable to make it work. Here's the query that I'm using:
SELECT
service.description,
project.labels,
cost AS cost
FROM
`xxxxxx.xxxxx.xxxx.xxxx`
WHERE
service.description = 'BigQuery' ;
Here's the results:
As you can see, I'm getting everything with that query, but as mentioned, I'm looking to get resources with empty records only for example record 229,230 so on.
Worth to mention that schema for the column I'm trying to query is:
project.labels RECORD REPEATED
The above was mentioned because I tried using several combinations of WHERE but everything ends up in error.
To identify empty repeated record - you can use ARRAY_LENGTH in WHERE clause like in below example
WHERE ARRAY_LENGTH(project.labels) = 0