Archive
Highlighted

Adding search to a search in search string ....

Communicator

Hi all,

What i try to ask is if that i can add to this:

(index="bogdan")
| rename Date AS RootObject.Date
         access_permited AS RootObject.access_permited
         created_date AS RootObject.created_date
         date_access AS RootObject.date_access
         first_name AS RootObject.first_name
         hr_access AS RootObject.hr_access
         last_name AS RootObject.last_name
         min_access AS RootObject.min_access
         msecs AS RootObject.msecs
         qr_code AS RootObject.qr_code
         reader_id AS RootObject.reader_id
         sec_access AS RootObject.sec_access
| fields _time host source sourcetype "RootObject.Date" "RootObject.access_permited" "RootObject.created_date" "RootObject.date_access" "RootObject.first_name" "RootObject.hr_access" "RootObject.last_name" "RootObject.min_access" "RootObject.msecs" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sec_access"
| stats dedup_splitvals=t count AS "Count of 1547566823.1090"
 BY RootObject.date_access, RootObject.hr_access, RootObject.min_access, RootObject.sec_access, RootObject.msecs, RootObject.first_name, RootObject.last_name
| sort limit=100000 RootObject.date_access
| fields - _span
| rename RootObject.date_access AS date_access
         RootObject.hr_access AS hr_access
         RootObject.min_access AS min_access
         RootObject.sec_access AS sec_access
         RootObject.msecs AS msecs
         RootObject.first_name AS first_name
         RootObject.last_name AS last_name
| fillnull "Count of 1547566823.1090"
| fields date_access, hr_access, min_access, sec_access, msecs, first_name, last_name, "Count of 1547566823.1090"
| strcat first_name " " last_name employee
| search employee="Bogdan Nicolescu"

An additional search like:

| search date_access="2019-01-15"

I've already tried, but, after a while is showing me a result, but after another while it stops showing something altogether.

Thank you.

0 Karma
Highlighted

Re: Adding search to a search in search string ....

SplunkTrust
SplunkTrust

@bogdan_nicolescu , It's possible to add the search . Just to understand it better, what's the problem when you add the following to the end of the search

 | search employee="Bogdan Nicolescu" date_access="2019-01-15"
0 Karma
Highlighted

Re: Adding search to a search in search string ....

Communicator

Hi Renjith,

If i add that string to my search, i get no result.

BUT! if i do this:

(index="bogdan" Bogdan Nicolescu)  | rename Date AS RootObject.Date access_permited AS RootObject.access_permited created_date AS RootObject.created_date date_access AS RootObject.date_access first_name AS RootObject.first_name hr_access AS RootObject.hr_access last_name AS RootObject.last_name min_access AS RootObject.min_access msecs AS RootObject.msecs qr_code AS RootObject.qr_code reader_id AS RootObject.reader_id sec_access AS RootObject.sec_access | fields "_time" "host" "source" "sourcetype" "RootObject.Date" "RootObject.access_permited" "RootObject.created_date" "RootObject.date_access" "RootObject.first_name" "RootObject.hr_access" "RootObject.last_name" "RootObject.min_access" "RootObject.msecs" "RootObject.qr_code" "RootObject.reader_id" "RootObject.sec_access" | stats dedup_splitvals=t count AS "Count of 1547566823.1090"  by RootObject.date_access, RootObject.hr_access, RootObject.min_access, RootObject.sec_access, RootObject.msecs, RootObject.first_name, RootObject.last_name | sort limit=100000 RootObject.date_access | fields - _span  | rename RootObject.date_access AS date_access RootObject.hr_access AS hr_access RootObject.min_access AS min_access RootObject.sec_access AS sec_access RootObject.msecs AS msecs RootObject.first_name AS first_name RootObject.last_name AS last_name  | fillnull "Count of 1547566823.1090" | fields date_access, hr_access, min_access, sec_access, msecs, first_name, last_name, "Count of 1547566823.1090" | strcat first_name " " last_name employee | search date_access="2018-06-21"

I get what i was looking for.

Thank you for your time.

0 Karma
Highlighted

Re: Adding search to a search in search string ....

SplunkTrust
SplunkTrust

@bogdan_nicolescu , is it possible that you dont have data for 2019-01-15 ? Do you see the data in the events when no filter is applied?

0 Karma
Highlighted

Re: Adding search to a search in search string ....

Communicator

My last message was to pint out if i use | search employee="Bogdan Nicolescu" date_access="2019-01-15" i don't get any result.

BUT! (bubble but) if i use: (index="bogdan" Bogdan Nicolescu) | (..........) | search date_access="2018-06-21" i get what i want.

SO! (like saw, not the movie saw, but just plain saw) in order to apply 2 searches, you need to put the very first variable NEXT to the | index="" | and then the last variable in the very last place.

Hope this makes (shades) crystal (or dimond) clear.

0 Karma
Highlighted

Re: Adding search to a search in search string ....

SplunkTrust
SplunkTrust

Its crystal clear but both of your searches are not same. In the search where you get the results, you are not using the field name employee (or at least as mentioned in the text above) which makes a difference in how splunk gets the events for you. That's why it was asked whether you are able to see the data before the filter is applied (search=). For e.g. are you seeing the employee data if you do
"your search" | strcat first_name " " last_name employee | table employee ,date_access?

0 Karma
Highlighted

Re: Adding search to a search in search string ....

Communicator

Short answer, yes.

0 Karma
Highlighted

Re: Adding search to a search in search string ....

Champion

date_access is string or date field?

0 Karma
Highlighted

Re: Adding search to a search in search string ....

Communicator

Date field.

0 Karma
Highlighted

Re: Adding search to a search in search string ....

Communicator

In general you could add as many search terms as you like - directly after the index=... or somewhere else in your search string (of course, where it makes sense).

First you should cleanup your SPL. You do a lot of renaming in the 2nd part just to rename all of the fields back to their original name later on.

Further down you have three fields commands - the first one containing your renamed fields and the last containing all your back-renamed fields.

It makes reading your SPL much easier if it only contains the necessary parts - even for you 😉

And at last: please stay consistent in your searches. If you get a result only using date_access=2018-06-21 you should use this exact date when adding some more search string like employee="Bodgan Nicolescu" date_access=2018-06-21. Otherwise your results are not comparable at all.

0 Karma