topic Re: How to search a splunk search result? in Splunk Search

How to search a splunk search result?

pavanae — Wed, 30 Mar 2022 03:39:45 GMT

I have a macro named X that uses the lookup in the search and produces the results as follows

indexes index IN ("ABC","DEF")

where as indexes is column name

Now I want to use the macro X result (index IN ("ABC","DEF")) in a separate search as follows

my_search | where `X` which should execute as below my_search | where index IN ("ABC","DEF")

Now how can I achieve that?

Re: How to search a splunk search result?

gcusello — Wed, 30 Mar 2022 07:01:22 GMT

Hi @pavanae,

let me understand:

you have a lookup containing a list of indexes,
you want to use this list of indexes in a search,
you whould use a macro,

is it correct?

At first, if you have a macro, you don't need to use a lookup, in your macro, you could insert the list of indexes to search, also because I suppose that they aren't so many, otherwise I hint to re-design your indexes structure!

This is e.g. the approach of Enterprise Security DataModels: in each datamodel there's a macro called "datamodel_name_indexes" and in this macro there a command like your:

index IN (index1, index2)

But, anyway, if you would use a lookup, you don't need a macro, you could use a subsearch:

your_search [ | inputlookup indexes.csv | fields index ] | ...

At least, if you want to use in any case a macro, you could create a macro containing the above subsearch and use the macro in your search.

Ciao.

Giuseppe

Re: How to search a splunk search result?

pavanae — Thu, 31 Mar 2022 02:37:29 GMT

Thanks @gcusello for the quick response. Apologies for the confusion. To your question :- No, My macro contains nothing but the lookup and some filtering which produces the results as follows

indexes index IN ("ABC","DEF")

Now I wanted to use the macro's results as a subsearch. Now, I cannot use the lookup directly as I have too many indexes. All I wanted to take into account for the subsearch is just as below

index IN ("ABC","DEF")

but for now as I have a column name as indexes I am getting the subsearch as below which ending up with an error

indexes=index IN ("ABC","DEF")

Now, is there any way to tweak my subsearch or macro take the below into account which will work?

index IN ("ABC","DEF")

Where as my full search would be something like below after expanding the macro

My_Search | where index IN ("ABC","DEF")

Re: How to search a splunk search result?

PickleRick — Thu, 31 Mar 2022 04:18:53 GMT

You have three issues here.

One is a macro. Macro is a relatively simple string substitution. It's being evaluated before running the search so you expand it in search bar with some key combination (ctrl-shift-e?)

Second one is the contents of this macro which can be anything - even something syntactically incorrect - in such case the macro would get expanded but your resulting search would throw an error. It can have a subsearch running a inputlookup and some processing - no problem here.

Third one is the syntax of the subsearch results. By default the subsearch results get formatted in some particular way (an alternative of various returned field combinations). If you want it returned other way, you have to prepare the resulting text and use return to return a raw output as you want it.

And finally I'm not 100% sure you can use a IN (b,c) syntax with where. You can do this with search but I'm not sure about where.

Re: How to search a splunk search result?

human96 — Thu, 31 Mar 2022 04:48:24 GMT

Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?

would appreciate splunk documentation .

Re: How to search a splunk search result?

gcusello — Thu, 31 Mar 2022 12:10:55 GMT

Hi @pavanae,

the last solution isn't a good idea because it's a best practice to putt all the search terme as left as possible and use the search command only if you have somthing to elaborate, if you have a field in the main search is always better to put all the search terms in the main search.

Anyway, if you have many indexes (and I don't like this!) you can put them in a lookup and use a subsearch, as I hinted in my last answer:

your_search [ | inputlookup indexes.csv | fields index ] | ...

I don't understand why you don't want this solution!|

Ciao.

Giuseppe

Re: How to search a splunk search result?

PickleRick — Thu, 31 Mar 2022 13:41:51 GMT

@gcuselloAs a side note - with simple searches, splunk can sometimes optimize the search in some obvious cases. So

search | search a=b

will get optimized to

search a=b

But of course I wuldn't rely on it and writing efficient searches is a good practice that should be followed.