topic Re: Nested Search Query in Splunk Dev

Nested Search Query

kartiksha — Sun, 04 Jun 2017 19:38:39 GMT

Hi,

I need a way to merge these two queries to get a proper report with having to run them separately.

First Query to generate a list of IDs:
source="Source1" receiverAddress=test@test.com| dedup "attachments{}.UniqueID"|table "attachments{}.UniqueID"

Results (EX):
1e32fdc2-5519-4e3a-2233-88e49a21e663

Second Query to generate actual results:
source="Source2" UniqueID=1e32fdc2-5519-4e3a-2233-88e49a21e663 CreateEvent|dedup UniqueID| timechart span=1d count(UniqueID) as "Test"

Results (EX):
_time Test
2017-05-29 1

I tried to use Nested Query like:
source="Source2" [search source="Source1" receiverAddress=test@test.com| dedup "attachments{}.UniqueID"|table "attachments{}.UniqueID"] CreateEvent|dedup UniqueID| timechart span=1d count(UniqueID) as "Test"

But unfortunately it returns nothing. Is there something I'm doing incorrectly?

Thanks
Kartik Sharma

Re: Nested Search Query

DalJeanis — Sun, 04 Jun 2017 22:50:58 GMT

You basically had it, except for one thing. compare these two points...

 ...| table "attachments{}.UniqueID"  ]...

and

 ... UniqueID=1e32fdc2-5519-4e3a-2233-88e49a21e663 ...

If you rename the first fieldname to be the same as the second, then it should work. Test it first with head 1 to save on run time, as below...

index=foo source="Source2" 
    [ search index=bar source="Source1" receiverAddress=test@test.com 
    | dedup "attachments{}.UniqueID" 
    | rename "attachments{}.UniqueID" as UniqueID 
    | head 1 
    | table UniqueID]  
   CreateEvent
| dedup UniqueID
| timechart span=1d count(UniqueID) as "Test"

I'm not familiar with "CreateEvent" - if that is a macro, there should be a tickmark in front of it, and we would have to investigate the code to make sure it would work in that spot with with multiple records. If it is a fieldname, then CreateEvent=* would be more descriptive. If it is a literal, then quotes around it would be better practice.

if it is a macro, then get a second unique id and try this first -

source="Source2" (UniqueID=1e32fdc2-5519-4e3a-2233-88e49a21e663 OR UniqueID=SomeOtherIdThatIsThere) CreateEvent|dedup UniqueID| timechart span=1d count(UniqueID) as "Test"

Re: Nested Search Query

kartiksha — Mon, 05 Jun 2017 09:29:05 GMT

Hi,

It worked. Thanks for your support DalJeanis. I now need to work on more advanced dashboard so would come back if further queries.

Thanks
Kartik Sharma

Re: Nested Search Query

DalJeanis — Mon, 05 Jun 2017 12:59:32 GMT

Great!

So, for my curiosity and everybody's edification, what was CreateEvent?

Re: Nested Search Query

kartiksha — Mon, 05 Jun 2017 13:43:25 GMT

Ahhh... that please ignore. It was a dummy query and I just used one of the keyword from our logs 🙂