Splunk Search

How can I take the results from a search and generate a second search from those results?

doogan12
Engager

Hi all,

I have a search that looks for ICID's (injection connection ID) found in incoming SPAM email events. Sometimes there could be hundreds of ICID's. My search pulls out the ICID's and saves them to a .csv file, but I cannot seem to get the file to run and give me the results of each ICID.

Can anyone help with this? Here is my search (or if there is another way, I'm open to rewriting the search/dashboard):

index=primary_index sourcetype=server_ironport "add.ip.here" | stats count by icid | outputcsv mysearch

Thanks for any help you can provide!

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

If the events in the two datasets are contemporaneous, why save them off at all? Why not just use a subsearch like this:

index=OuterIndexHere sourcetype=OuterSourcetypeHere [index=InnerIndexHere sourcetype=InnerIndexHere | stats count BY ICID | table ICID]

View solution in original post

0 Karma

woodcock
Esteemed Legend

If the events in the two datasets are contemporaneous, why save them off at all? Why not just use a subsearch like this:

index=OuterIndexHere sourcetype=OuterSourcetypeHere [index=InnerIndexHere sourcetype=InnerIndexHere | stats count BY ICID | table ICID]
0 Karma

doogan12
Engager

Woodcock - not sure I understand outer versus inner indexes and sourcetypes.

0 Karma

woodcock
Esteemed Legend

The values of ICID from the "inner search" are used to qualify the "outer search".

See what this does:

index=InnerIndexHere sourcetype=InnerIndexHere | stats count BY ICID | table ICID | format
0 Karma

doogan12
Engager

I think we are getting closer - the results returned a table with two headings: icid and search. There was no data (no outer index/sourcetype specified?) returned under the icid heading, and search returned ( ( icid="432670647" ) OR ( icid="99283979" ) )

0 Karma

woodcock
Esteemed Legend

The reason that I told you to run the "inner search" that way is because it shows you how a subsearch converts the ICID field into a search parameter ( called search ) for the "outer search". Now put it back in (with our without the format part) with the "outer search" as I showed in the original solution and watch the subsearch magic happen.

0 Karma

doogan12
Engager

OK, It is now producing the results that I need - ( icid="432745756" ) OR ( icid="99159202" ) OR ( icid="99404073" ) - under the 'search' heading of the table. Since this is a newer version of Splunk (6.3 I think), drilling down on the search results will need to be performed in the XML portion of the code as opposed to editing the panel options.

0 Karma

woodcock
Esteemed Legend

So you now understand how to use a subsearch and you are good-to-go, right?

0 Karma

doogan12
Engager

Yes, thanks Woodcock, you taught me much in that regard! One last thing - do you have any idea why the drilldown isn't working? When I click on the results that the search produced, it shows the original search instead of the results of the search - just like clicking the magnifying glass icon does. In the source code, drilldown is set to cell. Any thoughts?

0 Karma

woodcock
Esteemed Legend

It would be best to click Accept to close this question and then ask a new question.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The outputcsv command is to export the search result as .csv file and saved in "$SPLUNK_HOME/var/run/splunk/csv" directory. (http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Outputcsv)
Please note that these files are not replicated across search head cluster members, if you've setup SHC. To retrieve the result from that exported file, you should use inputcsv command. See more information here.
http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Inputcsv

You can also lookup at outputlookup and inputlookup commands, the former will save the results as lookup table file which will get replicated across SHC.

0 Karma

doogan12
Engager

Thanks, somesoni2, I see your point regarding csv versus lookup. I will try that option next.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...