topic Re: Linked searches in Splunk Search

Linked searches

Bulluk — Tue, 21 Aug 2012 10:33:24 GMT

I index 2 log files which have a common ID field in them. I'd like to search against log file 1, get a series of IDs which match my search term and then use those IDs to find info from log file 2, eg

source=Log1 error="some error message" | source=Log2 ID

In the above, the search to the left of the pip finds 1 or more results. On the right of the pipe we search for all events which have the ID from the first part of the search.

Seems like it should be easy but I'm having a "can't see the wood for the trees" moment and can't work it out.

thanks in advance!

Re: Linked searches

johandk — Tue, 21 Aug 2012 10:43:29 GMT

source=log1 error="ERROR" | join ID [search source=Log2]

This will do a SQL like join on the ID field.

Re: Linked searches

Ayn — Tue, 21 Aug 2012 10:58:49 GMT

As I understand your requirement I think your best option might be to use a regular subsearch (http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork ).

Step-by-step: " I'd like to search against log file 1, get a series of IDs which match my search term"

source=Log1 error="some error message"

"and then use those IDs to find info from log file 2"

source=Log2 [search source=Log1 error="some error message" | fields ID]

EDIT: If you want the actual events from both sources, you could either use join as has been suggested, or transaction that will create a new event (a transaction) that combines all events having the same ID.

(source=Log1 error="some error message") OR (source=Log2) | transaction ID

Re: Linked searches

Bulluk — Tue, 21 Aug 2012 11:07:04 GMT

This looks close but I'm getting odd results

source=log1 error="ERROR" returns over 100 results

source=log1 error="ERROR" | join ID [search source=Log2] only returns 1 result despite there being a 1 to 1 relationship with the ID.

I shall play a bit more to see if I can work out what I'm doing wrong

Re: Linked searches

Bulluk — Tue, 21 Aug 2012 11:10:21 GMT

Log1 contains the error message and the ID.
Log2 contains the ID and some other info I'm interested in. In a scripting language I'd pass the result of the first query into an array then iterate around it to find the info I want in Log2 ie

$IDs = 1,2,3,4

foreach ($ID in $IDs)
{
select $info1, $info2
where $IDfield = $ID
}

Re: Linked searches

Ayn — Tue, 21 Aug 2012 11:13:38 GMT

OK, so you want not just the ID from log1, but also the actual event? In that case the requirement will indeed be a bit different, as the subsearch would essentially return something like ((id="id1") OR (id="id2") OR ... ) to the outer search.

Re: Linked searches

Ayn — Tue, 21 Aug 2012 11:15:50 GMT

You could also use transaction. See my updated answer.

Re: Linked searches

Bulluk — Tue, 21 Aug 2012 13:13:00 GMT

source=Log2 [search source=Log1 error="some error message" | fields ID]

This is the one that nailed it for me. Thanks for your help 🙂

Re: Linked searches

Bulluk — Tue, 21 Aug 2012 13:13:37 GMT

I ended up using Ayn's solution below but I think the join approach would have worked if I'd spent time with it. Thanks for your help