topic Re: Not another Subsearch Question! Take values from one search and feed it to another in Splunk Search

Not another Subsearch Question! Take values from one search and feed it to another

lennys26 — Thu, 20 Jul 2017 22:13:59 GMT

I am trying to figure out how to find all log events related to a specific linux PID based on a reduced set of hosts (obtained from a search for 'valueB').

Using the below search, I can get the PIDs and the hosts in which they live.

index=<myindex> sourcetype=<mysourcetype> valueB | table host, PID, valueB | dedup PID, valueB

This will return me a simple list of the PIDs for events related to 'valueB' and the hosts. I now want to take this list and search for all events for those PIDs in the hosts (where 'valueB' may or may not actually be present within the log line).

For example, using the below event lines:
1. hostA PID: 10000 foo
2. hostB PID: 20000 foo
3. hostA PID: 10000
4. hostB PID: 20000
5. hostC PID: 10000
6. hostC PID: 30000 foo

Knowing 'foo', my end goal is to return the events 1, 2, 3, 4 and NOT 5 or 6.

This is a subsearch (or a join) but I cant seem to get it to work.

Any thoughts?

Re: Not another Subsearch Question! Take values from one search and feed it to another

woodcock — Thu, 20 Jul 2017 22:26:43 GMT

Like this:

  index=<myindex> sourcetype=<mysourcetype> [search index=<myindex> sourcetype=<mysourcetype> valueB | stats values(PID) AS PID]

Re: Not another Subsearch Question! Take values from one search and feed it to another

DalJeanis — Thu, 20 Jul 2017 22:45:05 GMT

why not 6? It has a foo!

Re: Not another Subsearch Question! Take values from one search and feed it to another

DalJeanis — Thu, 20 Jul 2017 22:52:37 GMT

Okay, it looks like each host may have multiple PIDS. For each host, for any PID that has a foo, you want all the records.

So, this subsearch, with its implicit format command

 [index=<myindex> sourcetype=<mysourcetype> "foo" | stats by host PID]

...effectively turns into this search term

 ((host=hostA AND PID=10000) OR (host=hostB AND PID=20000) OR (host=hostC AND PID=30000) )

... therefore this search ...

index=<myindex> sourcetype=<mysourcetype> 
    [index=<myindex> sourcetype=<mysourcetype> "foo" | stats by host PID]
| table host PID WhateverFieldIsFoo

... should get you records 1-4 and 6 but not 5.

Re: Not another Subsearch Question! Take values from one search and feed it to another

lennys26 — Fri, 21 Jul 2017 20:30:08 GMT

Hi woodcock. That is along the lines of what I was thinking however it seems to be pulling events that match PID but not restricting to the hosts that I want (example #5 above). Let me make sure I am explaining clearly (I suspect I didnt').

All events will fall into one of the below :

contain: host, pid
contain: host, id
contain: host, pid and id

I have a call in my network which is identified with an id. For each host, the 'id' has a direct relationship with a specific 'pid'. Using the 'id' to search with, I want to be able to pull up the events on those hosts (where the 'id' exists) with the related 'pid'.

Given:
| host | pid | id |
| svr1 | 1000 | aa |
| svr2 | 2000 | aa |

I want to return the events where the pid is 1000 on svr1 and 2000 on svr2

Re: Not another Subsearch Question! Take values from one search and feed it to another

woodcock — Sat, 22 Jul 2017 17:19:06 GMT

My bad; see @DalJeanis

Re: Not another Subsearch Question! Take values from one search and feed it to another

DalJeanis — Sun, 23 Jul 2017 21:22:42 GMT

@lennys26 - still waiting to understand how we are supposed to know not to put out hostc?

Re: Not another Subsearch Question! Take values from one search and feed it to another

woodcock — Sun, 23 Jul 2017 21:36:19 GMT

Like this:

index=yourIndexHere sourcetype=yourSourcetypeHere [search index=yourIndexHere sourcetype=yourSourcetypeHere id=yourIDhere | dedup host PID | table host PID ]