topic Re: Adding search to a search in search string .... in Splunk Search

Adding search to a search in search string ....

bogdan_nicolesc — Wed, 16 Jan 2019 15:45:08 GMT

Hi all,

What i try to ask is if that i can add to this:

(index="bogdan")
| rename Date AS RootObject.Date
         access_permited AS RootObject.access_permited
         created_date AS RootObject.created_date
         date_access AS RootObject.date_access
         first_name AS RootObject.first_name
         hr_access AS RootObject.hr_access
         last_name AS RootObject.last_name
         min_access AS RootObject.min_access
         msecs AS RootObject.msecs
         qr_code AS RootObject.qr_code
         reader_id AS RootObject.reader_id
         sec_access AS RootObject.sec_access
| fields _time host source sourcetype "RootObject.Date" "RootObject.access_permited" "RootObject.created_date" "RootObject.date_access" "RootObject.first_name" "RootObject.hr_access" "RootObject.last_name" "RootObject.min_access" "RootObject.msecs" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sec_access"
| stats dedup_splitvals=t count AS "Count of 1547566823.1090"
 BY RootObject.date_access, RootObject.hr_access, RootObject.min_access, RootObject.sec_access, RootObject.msecs, RootObject.first_name, RootObject.last_name
| sort limit=100000 RootObject.date_access
| fields - _span
| rename RootObject.date_access AS date_access
         RootObject.hr_access AS hr_access
         RootObject.min_access AS min_access
         RootObject.sec_access AS sec_access
         RootObject.msecs AS msecs
         RootObject.first_name AS first_name
         RootObject.last_name AS last_name
| fillnull "Count of 1547566823.1090"
| fields date_access, hr_access, min_access, sec_access, msecs, first_name, last_name, "Count of 1547566823.1090"
| strcat first_name " " last_name employee
| search employee="Bogdan Nicolescu"

An additional search like:

| search date_access="2019-01-15"

I've already tried, but, after a while is showing me a result, but after another while it stops showing something altogether.

Thank you.

Re: Adding search to a search in search string ....

renjith_nair — Fri, 18 Jan 2019 05:24:47 GMT

@bogdan_nicolescu , It's possible to add the search . Just to understand it better, what's the problem when you add the following to the end of the search

 | search employee="Bogdan Nicolescu" date_access="2019-01-15"

Re: Adding search to a search in search string ....

bogdan_nicolesc — Fri, 18 Jan 2019 17:14:52 GMT

Hi Renjith,

If i add that string to my search, i get no result.

BUT! if i do this:

(index="bogdan" Bogdan Nicolescu)  | rename Date AS RootObject.Date access_permited AS RootObject.access_permited created_date AS RootObject.created_date date_access AS RootObject.date_access first_name AS RootObject.first_name hr_access AS RootObject.hr_access last_name AS RootObject.last_name min_access AS RootObject.min_access msecs AS RootObject.msecs qr_code AS RootObject.qr_code reader_id AS RootObject.reader_id sec_access AS RootObject.sec_access | fields "_time" "host" "source" "sourcetype" "RootObject.Date" "RootObject.access_permited" "RootObject.created_date" "RootObject.date_access" "RootObject.first_name" "RootObject.hr_access" "RootObject.last_name" "RootObject.min_access" "RootObject.msecs" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sec_access" | stats dedup_splitvals=t count AS "Count of 1547566823.1090"  by RootObject.date_access, RootObject.hr_access, RootObject.min_access, RootObject.sec_access, RootObject.msecs, RootObject.first_name, RootObject.last_name | sort limit=100000 RootObject.date_access | fields - _span  | rename RootObject.date_access AS date_access RootObject.hr_access AS hr_access RootObject.min_access AS min_access RootObject.sec_access AS sec_access RootObject.msecs AS msecs RootObject.first_name AS first_name RootObject.last_name AS last_name  | fillnull "Count of 1547566823.1090" | fields date_access, hr_access, min_access, sec_access, msecs, first_name, last_name, "Count of 1547566823.1090" | strcat first_name " " last_name employee | search date_access="2018-06-21"

I get what i was looking for.

Thank you for your time.

Re: Adding search to a search in search string ....

renjith_nair — Sat, 19 Jan 2019 07:53:24 GMT

@bogdan_nicolescu , is it possible that you dont have data for 2019-01-15 ? Do you see the data in the events when no filter is applied?

Re: Adding search to a search in search string ....

bogdan_nicolesc — Mon, 21 Jan 2019 07:58:12 GMT

My last message was to pint out if i use | search employee="Bogdan Nicolescu" date_access="2019-01-15" i don't get any result.

BUT! (bubble but) if i use: (index="bogdan" Bogdan Nicolescu) | (..........) | search date_access="2018-06-21" i get what i want.

SO! (like saw, not the movie saw, but just plain saw) in order to apply 2 searches, you need to put the very first variable NEXT to the | index="" | and then the last variable in the very last place.

Hope this makes (shades) crystal (or dimond) clear.

Re: Adding search to a search in search string ....

p_gurav — Mon, 21 Jan 2019 10:23:15 GMT

date_access is string or date field?

Re: Adding search to a search in search string ....

renjith_nair — Mon, 21 Jan 2019 10:45:46 GMT

Its crystal clear but both of your searches are not same. In the search where you get the results, you are not using the field name employee (or at least as mentioned in the text above) which makes a difference in how splunk gets the events for you. That's why it was asked whether you are able to see the data before the filter is applied (search=). For e.g. are you seeing the employee data if you do
"your search" | strcat first_name " " last_name employee | table employee ,date_access?

Re: Adding search to a search in search string ....

bogdan_nicolesc — Mon, 21 Jan 2019 12:13:25 GMT

Short answer, yes.

Re: Adding search to a search in search string ....

bogdan_nicolesc — Mon, 21 Jan 2019 12:13:48 GMT

Date field.

Re: Adding search to a search in search string ....

rvany — Mon, 21 Jan 2019 13:52:59 GMT

In general you could add as many search terms as you like - directly after the index=... or somewhere else in your search string (of course, where it makes sense).

First you should cleanup your SPL. You do a lot of renaming in the 2nd part just to rename all of the fields back to their original name later on.

Further down you have three fields commands - the first one containing your renamed fields and the last containing all your back-renamed fields.

It makes reading your SPL much easier if it only contains the necessary parts - even for you 😉

And at last: please stay consistent in your searches. If you get a result only using date_access=2018-06-21 you should use this exact date when adding some more search string like employee="Bodgan Nicolescu" date_access=2018-06-21. Otherwise your results are not comparable at all.

Re: Adding search to a search in search string ....

woodcock — Mon, 21 Jan 2019 21:48:24 GMT

I have no idea what you are trying to do but your existing search can be simplified to this:

index="bogdan"
| stats count AS "Count of 1547566823.1090" BY date_access hr_access min_access sec_access msecs first_name last_name
| sort 0 date_access
| strcat first_name " " last_name employee

You can then add stuff like:

| search employee="Bogdan Nicolescu"

Or:

| search employee="Bogdan Nicolescu" AND date_access="2019-01-15"

Note that in general, the | search ... stuff should be done at the top, but I assume that you have a base search that is being used to power several other searches, which is smart. If that's not what you are doing, you should move it to the top like this:

index="bogdan" AND first_name="Bogdan" AND last_name="Nicolescu"
| stats count AS "Count of 1547566823.1090" BY date_access hr_access min_access sec_access msecs first_name last_name
| sort 0 date_access

Re: Adding search to a search in search string ....

bogdan_nicolesc — Fri, 25 Jan 2019 12:06:59 GMT

Hi WoodCock,

Thank you very Much, worked like a charm.

Bogdan.