https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417571#M120152 <P>Hi,</P> <P>Essentially, I am trying to join 2 or 3 log entries together linking them by a yet to be determined value (session ID) where the field I am searching for is not in every entry I am looking for.</P> <P>Breakdown:</P> <P>One Log Entry (AuthRs)<BR /> - has sessionID that links the two entries<BR /> - has a field value that I know of beforehand (UID)<BR /> - has other field values that I need (status)</P> <P>Second Log Entry (One of 2 entries - either AuthRq or AuthRt - one of the two will exist)<BR /><BR /> - has the sessionID<BR /> - doesn't have UID<BR /> - has other field values I need (IP Address, UserAgent)</P> <P>Pseudo search:</P> <P>1 index=a sourcetype=a "AuthRs" UID=abc<BR /> 2 | table _time, UID, status, sessionID<BR /> 3 | join sessionID [ search sourcetype=a "AuthRq" OR "AuthRt" (need to pass sessionID from search here somehow) ]<BR /> 4 | table _time, UID, status, sessionID, IPAddress, useragent (final table of values I want)</P> <P>I've also tried a search like this:</P> <P>Pseudo search 2<BR /> index=a sourcetype=a (UID=123 AND "AuthRs") OR "AuthRs" OR "AuthRt"<BR /> | stats list(_time) list(UID) list(status) list(IPAddress) list(userAgent) by sessionID</P> <UL> <LI>issue with this search is that the AuthRs and AuthRt searches are too large without narrowing down..but cant narrow down until I identify the sessionID would be found amongst all the entries </LI> </UL> <P>I understand that subsearches are run first but not sure how to rewrite the search for the correct order . I have also heard </P> <P>The issue is that the line 1 search may identify multiple entries and i'd need to link all the events of search 1 to entries of search 2 by passing multiple session IDs if necessary. Without being able to pass the session ID, line 3 search conducts too many searches and drops results. </P> <P>Maybe I can do an initial search just for the session IDs and then </P> <P>If i'm not clear, please let me know and I can try and explain further.</P> Tue, 16 Apr 2019 20:31:33 GMT adamcoquim 2019-04-16T20:31:33Z https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417571#M120152 <P>Hi,</P> <P>Essentially, I am trying to join 2 or 3 log entries together linking them by a yet to be determined value (session ID) where the field I am searching for is not in every entry I am looking for.</P> <P>Breakdown:</P> <P>One Log Entry (AuthRs)<BR /> - has sessionID that links the two entries<BR /> - has a field value that I know of beforehand (UID)<BR /> - has other field values that I need (status)</P> <P>Second Log Entry (One of 2 entries - either AuthRq or AuthRt - one of the two will exist)<BR /><BR /> - has the sessionID<BR /> - doesn't have UID<BR /> - has other field values I need (IP Address, UserAgent)</P> <P>Pseudo search:</P> <P>1 index=a sourcetype=a "AuthRs" UID=abc<BR /> 2 | table _time, UID, status, sessionID<BR /> 3 | join sessionID [ search sourcetype=a "AuthRq" OR "AuthRt" (need to pass sessionID from search here somehow) ]<BR /> 4 | table _time, UID, status, sessionID, IPAddress, useragent (final table of values I want)</P> <P>I've also tried a search like this:</P> <P>Pseudo search 2<BR /> index=a sourcetype=a (UID=123 AND "AuthRs") OR "AuthRs" OR "AuthRt"<BR /> | stats list(_time) list(UID) list(status) list(IPAddress) list(userAgent) by sessionID</P> <UL> <LI>issue with this search is that the AuthRs and AuthRt searches are too large without narrowing down..but cant narrow down until I identify the sessionID would be found amongst all the entries </LI> </UL> <P>I understand that subsearches are run first but not sure how to rewrite the search for the correct order . I have also heard </P> <P>The issue is that the line 1 search may identify multiple entries and i'd need to link all the events of search 1 to entries of search 2 by passing multiple session IDs if necessary. Without being able to pass the session ID, line 3 search conducts too many searches and drops results. </P> <P>Maybe I can do an initial search just for the session IDs and then </P> <P>If i'm not clear, please let me know and I can try and explain further.</P> Tue, 16 Apr 2019 20:31:33 GMT https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417571#M120152 adamcoquim 2019-04-16T20:31:33Z https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417572#M120153 <P>I think I figured it out. I did end up searching for just the session IDs and passing them to the search </P> <P>Pseudo code:<BR /> index=a sourcetype=a "AuthRs" OR "AuthRs" OR "AuthRt"<BR /> [ search sourcetype=a "AuthRs" UID=123 | fields sessionID ] <BR /> | stats list(_time) list(UID) list(status) list(IPAddress) list(userAgent) by sessionID</P> Wed, 17 Apr 2019 13:11:36 GMT https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417572#M120153 adamcoquim 2019-04-17T13:11:36Z https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417573#M120154 <P>@adamcoquim If your problem is resolved, please accept the answer to help future readers.</P> Wed, 17 Apr 2019 13:18:04 GMT https://community.splunk.com/t5/Splunk-Search/Combining-Search-Results-By-Passing-Subsearch-Values/m-p/417573#M120154 richgalloway 2019-04-17T13:18:04Z