Splunk Search

Adding search to a search in search string ....

bogdan_nicolesc
Communicator

Hi all,

What i try to ask is if that i can add to this:

(index="bogdan")
| rename Date AS RootObject.Date
         access_permited AS RootObject.access_permited
         created_date AS RootObject.created_date
         date_access AS RootObject.date_access
         first_name AS RootObject.first_name
         hr_access AS RootObject.hr_access
         last_name AS RootObject.last_name
         min_access AS RootObject.min_access
         msecs AS RootObject.msecs
         qr_code AS RootObject.qr_code
         reader_id AS RootObject.reader_id
         sec_access AS RootObject.sec_access
| fields _time host source sourcetype "RootObject.Date" "RootObject.access_permited" "RootObject.created_date" "RootObject.date_access" "RootObject.first_name" "RootObject.hr_access" "RootObject.last_name" "RootObject.min_access" "RootObject.msecs" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sec_access"
| stats dedup_splitvals=t count AS "Count of 1547566823.1090"
 BY RootObject.date_access, RootObject.hr_access, RootObject.min_access, RootObject.sec_access, RootObject.msecs, RootObject.first_name, RootObject.last_name
| sort limit=100000 RootObject.date_access
| fields - _span
| rename RootObject.date_access AS date_access
         RootObject.hr_access AS hr_access
         RootObject.min_access AS min_access
         RootObject.sec_access AS sec_access
         RootObject.msecs AS msecs
         RootObject.first_name AS first_name
         RootObject.last_name AS last_name
| fillnull "Count of 1547566823.1090"
| fields date_access, hr_access, min_access, sec_access, msecs, first_name, last_name, "Count of 1547566823.1090"
| strcat first_name " " last_name employee
| search employee="Bogdan Nicolescu"

An additional search like:

| search date_access="2019-01-15"

I've already tried, but, after a while is showing me a result, but after another while it stops showing something altogether.

Thank you.

0 Karma
1 Solution

woodcock
Esteemed Legend

I have no idea what you are trying to do but your existing search can be simplified to this:

index="bogdan"
| stats count AS "Count of 1547566823.1090" BY date_access hr_access min_access sec_access msecs first_name last_name
| sort 0 date_access
| strcat first_name " " last_name employee

You can then add stuff like:

| search employee="Bogdan Nicolescu"

Or:

| search employee="Bogdan Nicolescu" AND date_access="2019-01-15"

Note that in general, the | search ... stuff should be done at the top, but I assume that you have a base search that is being used to power several other searches, which is smart. If that's not what you are doing, you should move it to the top like this:

index="bogdan" AND first_name="Bogdan" AND last_name="Nicolescu"
| stats count AS "Count of 1547566823.1090" BY date_access hr_access min_access sec_access msecs first_name last_name
| sort 0 date_access

View solution in original post

0 Karma

woodcock
Esteemed Legend

I have no idea what you are trying to do but your existing search can be simplified to this:

index="bogdan"
| stats count AS "Count of 1547566823.1090" BY date_access hr_access min_access sec_access msecs first_name last_name
| sort 0 date_access
| strcat first_name " " last_name employee

You can then add stuff like:

| search employee="Bogdan Nicolescu"

Or:

| search employee="Bogdan Nicolescu" AND date_access="2019-01-15"

Note that in general, the | search ... stuff should be done at the top, but I assume that you have a base search that is being used to power several other searches, which is smart. If that's not what you are doing, you should move it to the top like this:

index="bogdan" AND first_name="Bogdan" AND last_name="Nicolescu"
| stats count AS "Count of 1547566823.1090" BY date_access hr_access min_access sec_access msecs first_name last_name
| sort 0 date_access
0 Karma

bogdan_nicolesc
Communicator

Hi WoodCock,

Thank you very Much, worked like a charm.

Bogdan.

0 Karma

rvany
Communicator

In general you could add as many search terms as you like - directly after the index=... or somewhere else in your search string (of course, where it makes sense).

First you should cleanup your SPL. You do a lot of renaming in the 2nd part just to rename all of the fields back to their original name later on.

Further down you have three fields commands - the first one containing your renamed fields and the last containing all your back-renamed fields.

It makes reading your SPL much easier if it only contains the necessary parts - even for you 😉

And at last: please stay consistent in your searches. If you get a result only using date_access=2018-06-21 you should use this exact date when adding some more search string like employee="Bodgan Nicolescu" date_access=2018-06-21. Otherwise your results are not comparable at all.

0 Karma

p_gurav
Champion

date_access is string or date field?

0 Karma

bogdan_nicolesc
Communicator

Date field.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bogdan_nicolescu , It's possible to add the search . Just to understand it better, what's the problem when you add the following to the end of the search

 | search employee="Bogdan Nicolescu" date_access="2019-01-15"
Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Hi Renjith,

If i add that string to my search, i get no result.

BUT! if i do this:

(index="bogdan" Bogdan Nicolescu)  | rename Date AS RootObject.Date access_permited AS RootObject.access_permited created_date AS RootObject.created_date date_access AS RootObject.date_access first_name AS RootObject.first_name hr_access AS RootObject.hr_access last_name AS RootObject.last_name min_access AS RootObject.min_access msecs AS RootObject.msecs qr_code AS RootObject.qr_code reader_id AS RootObject.reader_id sec_access AS RootObject.sec_access | fields "_time" "host" "source" "sourcetype" "RootObject.Date" "RootObject.access_permited" "RootObject.created_date" "RootObject.date_access" "RootObject.first_name" "RootObject.hr_access" "RootObject.last_name" "RootObject.min_access" "RootObject.msecs" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sec_access" | stats dedup_splitvals=t count AS "Count of 1547566823.1090"  by RootObject.date_access, RootObject.hr_access, RootObject.min_access, RootObject.sec_access, RootObject.msecs, RootObject.first_name, RootObject.last_name | sort limit=100000 RootObject.date_access | fields - _span  | rename RootObject.date_access AS date_access RootObject.hr_access AS hr_access RootObject.min_access AS min_access RootObject.sec_access AS sec_access RootObject.msecs AS msecs RootObject.first_name AS first_name RootObject.last_name AS last_name  | fillnull "Count of 1547566823.1090" | fields date_access, hr_access, min_access, sec_access, msecs, first_name, last_name, "Count of 1547566823.1090" | strcat first_name " " last_name employee | search date_access="2018-06-21"

I get what i was looking for.

Thank you for your time.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bogdan_nicolescu , is it possible that you dont have data for 2019-01-15 ? Do you see the data in the events when no filter is applied?

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

My last message was to pint out if i use | search employee="Bogdan Nicolescu" date_access="2019-01-15" i don't get any result.

BUT! (bubble but) if i use: (index="bogdan" Bogdan Nicolescu) | (..........) | search date_access="2018-06-21" i get what i want.

SO! (like saw, not the movie saw, but just plain saw) in order to apply 2 searches, you need to put the very first variable NEXT to the | index="" | and then the last variable in the very last place.

Hope this makes (shades) crystal (or dimond) clear.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Its crystal clear but both of your searches are not same. In the search where you get the results, you are not using the field name employee (or at least as mentioned in the text above) which makes a difference in how splunk gets the events for you. That's why it was asked whether you are able to see the data before the filter is applied (search=). For e.g. are you seeing the employee data if you do
"your search" | strcat first_name " " last_name employee | table employee ,date_access?

Happy Splunking!
0 Karma

bogdan_nicolesc
Communicator

Short answer, yes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...