topic Re: Trying to take a value from one search and place it in another search in Splunk Search

Trying to take a value from one search and place it in another search

aking76 — Thu, 03 Dec 2020 22:04:26 GMT

I have a search that runs with no issues-
ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile)
*.xls* OR *.csv
| rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName
| table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal,TargetProcessId_decimal

What I want to do is take the value from ContextProcessId_decimal and use it in a second search as the value for the field TargetProcessId_decimal.
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 TargetProcessId_decimal=ContextProcessid_decimal

I've tried doing a search within the first search like the following, but it errors out. I've spent a good hour or two and have been unable to figure this out. -_-

ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile)
*.xls* OR *.csv
| rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName
[|search event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 TargetProcessId_decimal=ContextProcessid_decimal]
| table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal,TargetProcessId_decimal

If I leave the renames in it gives an error with that, if I take the rename out it finds no results. Any help would be greatly appreciated!!

Re: Trying to take a value from one search and place it in another search

bowesmana — Thu, 03 Dec 2020 22:21:53 GMT

@aking76

Subsearches run before the outer search, so there is no way to pass data from the outer search to the subsearch.

The way to do this would be to combine the searches, so you search for both data sets in the initial search

(ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile) *.xls* OR *.csv) OR (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2)

and then with both data types in the stream do your processing

| rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName | table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal, TargetProcessId_decimal | stats values(*) as * by ContextProcessId_decimal | where ContextProcessId_decimal=TargetProcessId_decimal

This

Renames your fields and restricts the wanted fields
The aggregates all the values of data lines by the ContextProcessid_decimal field
and then performs the test you need

However, without knowing your data, it's not clear if that will work - is the process id field the common field between the two data sets?

Anyway, hopefully this gives you something to work with

Re: Trying to take a value from one search and place it in another search

aking76 — Fri, 04 Dec 2020 19:38:07 GMT

Thanks. I'm just waiting to get verification that the ContextProcessId_decimal does correlate to the TargetProcessID as I was originally told.
In the meantime, what if both searches have the same value. For instance, say they both have the ContextProcessId_decimal field. Can I rename the first and then compare and pull in the information similar to above?

Re: Trying to take a value from one search and place it in another search

bowesmana — Sun, 06 Dec 2020 23:00:19 GMT

If both processes have the ContextProcessId_decimal field then the stats values command will work and you won't need the where clause.