topic Re: Problems with subsearch and returning multiple fields in Splunk Search

Problems with subsearch and returning multiple fields

reinoheinanen — Wed, 11 Jan 2017 11:57:35 GMT

Hello I'm trying t run the following search:

Using subsearch I collect from DNS logs the source IP address and the domain they looked up.
Then using the source IP address query the windows security event logs to see user using the IP address at the time.
Create output with the destination, source IP, userdetails

I'm having problems with subsearch and returning values.
How do you return multiple fields and then search further only using one of the fields (src in this case)?

Or is there better way doing this?

Re: Problems with subsearch and returning multiple fields

hunters_splunk — Wed, 11 Jan 2017 14:59:56 GMT

Hi reinoheinanen,

You can use the fields command in your subsearch to return a specified fields as arguments for the outer search. For example:

... [ search sourcetype="dns" "specific urls" | dedup src | fields src] ...

There are other ways you can change the format of subsearch results to meet your needs. For more information, please refer to documentation: http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changetheformatofsubsearchresults

Hope this helps. Thanks!
Hunter

Re: Problems with subsearch and returning multiple fields

reinoheinanen — Tue, 29 Sep 2020 12:22:07 GMT

Thanks Hunter,

So now I have another problem. The link you provided had details about format command which I was hoping to use to modify returned search result so that it will work with multiple returned fields.

Splunk docs says:
"The format command changes your subsearch results into a single linear search string. This is used when you want to pass the returned values in the returned fields into the primary search."

I have managed to get the query to work if I return a single field. But it doesn't work if I pipe it to format. Seem primary search doesn't work with the returned linear search string?

The formatted search string that is returned contains (this does not work):
( ( "(src_ip=\"10.10.10.1\") OR (src_ip=\"10.10.10.2\") OR (src_ip=\"10.10.10.3\")" ) )

Without format (this works):
(src_ip="10.10.10.1") OR (src_ip="10.10.10.2") OR (src_ip="10.10.10.3")

Is there a bug or am I missing something from my command or I'm supposed to modify linear search strings somehow before they can be used with primary search?

Thanks,

Re: Problems with subsearch and returning multiple fields

reinoheinanen — Tue, 29 Sep 2020 12:24:15 GMT

I managed to get this to work but had to do it slightly differently.

As Splunk doesn't seem to support proper control over what to do with results that are returned from sub searches I had to run two separate sub searches using OR between them.

Re: Problems with subsearch and returning multiple fields

malvidin — Mon, 31 Aug 2020 10:30:50 GMT

I just posted an "idea" for the return command to be able to do what you would like it to do.

https://ideas.splunk.com/ideas/EID-I-532

The following is your command, rewritten with a rex command that should create a simple boolean expression from one subsearch.

The string in the eval command should be changed to something that will never be found. Depending on the use, perhaps "index!=*" might be more efficient. Otherwise, if nothing is found then the search will return an empty string that matches all events. This may be desired, in which case the eval statement should be removed.