Archive

Cascaded search with tabular data

Path Finder

Given a normal http log I want to be able to use the tabular data (or list) from one search as criteria in a second search.
1) Search host=a or host=b and uri=c | chart count by clientip
2) Search host=a and uri=d and {list of clientIPs from search 1} | chart count by user

I feel sure I'm missing some trick...

Tags (1)
0 Karma
1 Solution

Legend

This is very easy in Splunk

host=a AND uri=d [ search  host=a OR host=b AND uri=c | fields clientip  | dedup clientip ]
| chart count by user 

The part between the brackets [] is called a subsearch. The results of the subsearch are substituted into the outer search string. Use the "search job inspector" if you want to see the intermediate step!

BTW, there are limits to the subsearch. But if your subsearch returns less than a thousand results, you should be fine.

HTH

View solution in original post

Legend

This is very easy in Splunk

host=a AND uri=d [ search  host=a OR host=b AND uri=c | fields clientip  | dedup clientip ]
| chart count by user 

The part between the brackets [] is called a subsearch. The results of the subsearch are substituted into the outer search string. Use the "search job inspector" if you want to see the intermediate step!

BTW, there are limits to the subsearch. But if your subsearch returns less than a thousand results, you should be fine.

HTH

View solution in original post

Path Finder

Subsearch worked great.

0 Karma