- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to use result from a hidden search as inpu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create a form that allow users to input a few search criteria and I want it to perform a "base search" within log source A which will return a list of suspect IPs.
For example: Base Search (hidden from user):sourcetype=logA badguy=true | stats count by IP | search count>$CountThreshold$ | table IP
I want to take this list of suspect IP to look for matches in multiple sources and display search results from each individually.
For example:
Chart: sourcetype=logB [results from Base Search above] | timechart count by IP
Table: sourceytpe=logC [results from Base Search above] | table username, login_status
For performance reason I do not want to repeat the subsearch mulitple times to obtain the same list of IPs. I want to do the Subsearch once only and leverage that list in multiple subsequent searches. I thought about using "searchtemplate" and postprocessing but I think it will only work when I perform further filtering or aggregation of the first result, but not using it as a subquery for a brand new search. I also thought about using dynamic drill down but it will pass the IP one at a time, not as a list. Is there anyway to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The base search is not a subsearch, and can't be used as such. The base search provides a set of events, and then the other searches can further filter or aggregate the search results.
Here is an idea: Have the user complete a form and based on that form, run a search and save the results as a lookup file. Then pass the name of the lookup file via the dynamic drill down. The target of the drill down could then use the lookup file to do another search and report. The lookup file could also be used as part of a subsearch.
I haven't tested this, so it is only an idea. But I think that a combination of the outputlookup and inputlookup commands might work. There is also a way to load the results of a previously saved search using the loadjob command, but it might be a bit trickier to find and pass the search id (sid).
I hope this helps you find a solution that works for your situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The base search is not a subsearch, and can't be used as such. The base search provides a set of events, and then the other searches can further filter or aggregate the search results.
Here is an idea: Have the user complete a form and based on that form, run a search and save the results as a lookup file. Then pass the name of the lookup file via the dynamic drill down. The target of the drill down could then use the lookup file to do another search and report. The lookup file could also be used as part of a subsearch.
I haven't tested this, so it is only an idea. But I think that a combination of the outputlookup and inputlookup commands might work. There is also a way to load the results of a previously saved search using the loadjob command, but it might be a bit trickier to find and pass the search id (sid).
I hope this helps you find a solution that works for your situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I think that should work. I will give it a try.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
