topic Re: subsearch not returning selected field values in Splunk Search

subsearch not returning selected field values

scc00 — Wed, 14 Jun 2017 14:57:40 GMT

I am trying to map a users activity once they've logged into a vdi session to when they log into a specific application. My search is as follows: I have tried using the return, fields + and join commands to make this work. Each search returns values individually but together I get nothing. Thoughts?

Searches:

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | return 100 user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

Index=* user=xxx* computer=vdi*| join user max=0 [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

updated to mark code

Re: subsearch not returning selected field values

gcusello — Tue, 29 Sep 2020 14:27:45 GMT

Hi scc00,
try something like this

Bye.
Giuseppe

Re: subsearch not returning selected field values

DalJeanis — Wed, 14 Jun 2017 15:57:37 GMT

This is your first query. The only thing I've changed is to switch from fields to table and then added dedup.

index=* user=xxx* computer=vdi* 
    [ search sourcetype=something user=user1 event="*logged*" 
    | table user, event | dedup user, event] 
| eval hostname=coalesce(computer, host) 
| table _time, user, hostname, event 
| sort 0 - _time

The table command eliminates all fields except the ones listed, whereas the fields command leaves some internal fields like _time, which after it goes through the implicit format command at the end of the subsearch (when it hits the close bracket ]), is going to mess with retrieving the records .

To see the difference, compare the output of these -

    sourcetype=something user=user1 event="*logged*" 
    | fields + user, event 
    | format 

    sourcetype=something user=user1 event="*logged*" 
    | table user, event 
    | format

Updated to include the asterisks that the interface had removed from OP's search

Re: subsearch not returning selected field values

scc00 — Wed, 14 Jun 2017 18:34:54 GMT

Thanks Giuseppe, so this only gives me one side of the data. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login?

Re: subsearch not returning selected field values

scc00 — Wed, 14 Jun 2017 18:39:59 GMT

Unfortunately, neither of these suggestion worked. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login? assuming the VDI login ID for the user may differ from the application user ID?

Re: subsearch not returning selected field values

DalJeanis — Thu, 15 Jun 2017 02:07:36 GMT

Okay, I marked your code as code, so the asterisks showed up. I updated my code to include them.

"Did not work" doesn't give us anything to go on. Please be very specific about what does or does not occur. Did the last two samples produce any results? Did the difference make sense to you?

Re: subsearch not returning selected field values

scc00 — Thu, 15 Jun 2017 13:02:22 GMT

My apologies. I meant the searches came back empty when I run each option you mentioned. If i separate the subsearch from the main search, it returns values but not together.

Re: subsearch not returning selected field values

scc00 — Thu, 15 Jun 2017 13:04:41 GMT

Additionally, when I use the join command shown below it only gives me the main search. I need it to do a comparison between the user in the subsearch and pull only corresponding results from the main search specific to that users activities. Sometimes the user may be different from the user within the subsearch.