https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450945#M168281 <P>I did give some example events and which matches, but to clarify.. out of the above, only one event matches (the even with file_name cmd.exe)</P> <P>As a joined search I use the following:</P> <BLOCKQUOTE> <P>file_name=java.exe | join max=0 process_id [search file_name=cmd.exe | eval process_id=parent_process_id]</P> </BLOCKQUOTE> <P>it just seems to take too long as a join.</P> Tue, 29 Sep 2020 20:33:28 GMT spohara79 2020-09-29T20:33:28Z https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450941#M168277 <P>I have the following events:</P> <PRE><CODE>{ "file_name": "java.exe", "process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a", "command_line": "something", "parent_process_id": "c3df993f-7802-430a-9ef5-e018910aed4b" }, { "file_name": "other.exe", "process_id": "1451fd51-bbce-4c27-999a-ee514e09529f", "command_line": "some^thing", "parent_process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a" }, { "file_name": "cmd.exe", "process_id": "23a192cf-5f2d-4f42-a753-595b702a280b", "command_line": "some^thing", "parent_process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a" }, { "file_name": "blah.exe", "process_id": "16ffed00-1175-4554-b4a3-0ab45e8d691f", "command_line": "", "parent_process_id": "39a6cb9d-4dd7-4c44-9ffd-d8ee9561a1a3" } </CODE></PRE> <P>I'm trying to pull the events without a subsearch, where I'm looking for a process that has file_name=cmd.exe and a parent process with the file_name=java.exe; In the above events, you see java.exe has two child process (other.exe and cmd.exe) and then a completely unrelated process called 'blah.exe'. I'd like to just return cmd.exe (but only if the parent_process_id matches the process_id of another event with a file_name=java.exe) </P> Tue, 29 Sep 2020 20:32:46 GMT https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450941#M168277 spohara79 2020-09-29T20:32:46Z https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450942#M168278 <P>Give us some example events and show which ones match with which to get your result set. I don't get it.</P> Wed, 18 Jul 2018 15:48:39 GMT https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450942#M168278 woodcock 2018-07-18T15:48:39Z https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450943#M168279 <P>Hello @spohara,</P> <P>your question looks close to this one: <A href="https://answers.splunk.com/answers/671770/getting-results-from-multiple-searches-without-app.html">https://answers.splunk.com/answers/671770/getting-results-from-multiple-searches-without-app.html</A></P> <P>If you adapt the answer to your case, this will solve it.</P> Wed, 18 Jul 2018 15:54:08 GMT https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450943#M168279 poete 2018-07-18T15:54:08Z https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450944#M168280 <P>I don't get the expected result. It matches where all processes have a specific parent. A single process can have multiple children. I'm looking for a specific child process name.</P> Thu, 19 Jul 2018 21:43:32 GMT https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450944#M168280 spohara79 2018-07-19T21:43:32Z https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450945#M168281 <P>I did give some example events and which matches, but to clarify.. out of the above, only one event matches (the even with file_name cmd.exe)</P> <P>As a joined search I use the following:</P> <BLOCKQUOTE> <P>file_name=java.exe | join max=0 process_id [search file_name=cmd.exe | eval process_id=parent_process_id]</P> </BLOCKQUOTE> <P>it just seems to take too long as a join.</P> Tue, 29 Sep 2020 20:33:28 GMT https://community.splunk.com/t5/Splunk-Search/Related-Fields/m-p/450945#M168281 spohara79 2020-09-29T20:33:28Z