topic Add events mid search in Splunk Search

Add events mid search

Bulluk — Fri, 17 Feb 2012 11:56:42 GMT

Is it possible to recover events that I've filtered out in a search, ie (and I know this is a daft example but it's good for simplicity):

sourcetype=MySource | search events older that 10 days | do some stuff with those old event | bring back all the events from sourcetype=MySource | do some stuff with all the events

thanks in advance

Re: Add events mid search

Bulluk — Fri, 17 Feb 2012 12:00:44 GMT

The above is the short version to a longer problem. I have a HiddenSearch which passes events to HiddenPostProceses further down the page. This works for all searches except one where the first search contains useful information but filters out events that I need in the second search. I'm trying to avoid using a whole new search as I want all searches to inherit from a timerange picker that's associated with the initial HiddenSearch

Re: Add events mid search

Drainy — Fri, 17 Feb 2012 12:03:00 GMT

What are you trying to do?

I ask because if you just bring back all the original events then surely you won't have anything useful from doing the initial filtering? I suppose if you threw some eval magic in to create new fields it might be worth something.
Anyway I guess you could do this;

sourcetype=bob | where something=that | append [search sourcetype=bob]

will bring back all your original events and append to your current result set

Re: Add events mid search

Drainy — Fri, 17 Feb 2012 12:03:49 GMT

Best practice is to do as wide a search as possible and then keep all filtering actions to the postprocess

Re: Add events mid search

Bulluk — Mon, 28 Sep 2020 11:25:00 GMT

It's a bit tricky to explain in the number of characters I have to type in. I'm working with iis logs. At the top of the page a user can enter a url. The initial search performs a few rex searches to extract and populate variables for the uri_stem and uri_query. I then perform a where search to filter results to just events that match the url that the user entered. this is passed to the PostProcess searches to make some simple graphs with. My problem search was discussed here http://splunk-base.splunk.com/answers/37766/transaction-with-mvexpand. Unfortunately _serial is always null despite....

Re: Add events mid search

Bulluk — Mon, 28 Sep 2020 11:25:03 GMT

transactions being displayed if I only search on:

eval etime=_time | fields cs_username cs_uri_stem etime | transaction cs_username

So my work around was to simply restart from the beginning but then use the variables from the first search to filter the results of the second.

I've just tried using append to add soourcetype=iis back in but I get no results at all....

Re: Add events mid search

Drainy — Fri, 17 Feb 2012 12:54:34 GMT

Interesting, I might be missing something. You did it using the synax | append [search sourcetype=iis] ? If you run that search and go to the search inspector (if its pre 4.3 its in actions and inspect search job) does it have any counts listed for the command.append component?

Re: Add events mid search

Bulluk — Fri, 17 Feb 2012 13:18:31 GMT

if I put

stats count

into the postProcess search I get a value, if I put

append [search sourcetype=iis] | stats count

the chart is completely blank. I've had a look at the job (I'm on v4.2.4) and I get the following error (I'm running with an admin account)

SearchException: Search operation 'subsearch' is unknown. You might not have permission to run this operation.

Re: Add events mid search

Bulluk — Fri, 17 Feb 2012 13:20:28 GMT

Incidentally, append works fine via the search app's gui. My filtered search piped to stats count returns ~500 events, with append it returns ~40000. The problem seems to be running subsearchs in a postprocess

Re: Add events mid search

Bulluk — Fri, 17 Feb 2012 13:34:18 GMT

Stranger still, despite getting the error above the number of events returned in the job monitor suggests that the append statement is working as it shows ~40000 events

Re: Add events mid search

Bulluk — Fri, 17 Feb 2012 13:47:50 GMT

I feel like a total muppet!

For some reason my search spawns 3 subsearches in the jobs view. The panel on my dashboard stays blank until all 3 have completed their work. Basically I was being impatient, if I leave it for a minute (I'm on a dev box so it takes a while) the result pops up.

I'll be giving the points to Draineh as the append command was the answer I was looking for.

Thanks!

Re: Add events mid search

Drainy — Fri, 17 Feb 2012 14:47:03 GMT

Glad you've got it working now! 🙂