Dashboards & Visualizations

The Results from a Subsearch Need to be Used as an OR in the Main Search

genesiusj
Builder

Hello,
I have a main search, with an append command.
Some events contain just the user; others just the addr; and still others both the user and the addr. The issue is I only know user. However, to find events which contain just the addr I need to search the log for events where the user!="" and where addr!="". Then I can run a new search on log with $addr=addr. I will use dedup at the end.

|append
              [  search index ="events"
                AND source="log" 
                AND (user="$userId_tok$"
                  OR [ search index ="events"
                     AND source="/log"  
                     AND user="$userId_tok$"
                    | head limit=1
                    | eval addr="\"".addr."\""
                    | return $addr ]

Can OR work with subsearches?

I hope that makes sense.

Thanks and God bless,
Genesius

0 Karma
1 Solution

woodcock
Esteemed Legend

The way that subsearches work by default is that the fields within a row are combined with AND and then rows are combined with OR. You can see what is done by running your subsearch and then adding | format to the end and it will show you the SPL that it will generate. Additionally, the format command allows you to change the AND to OR or the OR to AND if you like, by passing the appropriate arguments. Check it out:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

View solution in original post

0 Karma

woodcock
Esteemed Legend

The way that subsearches work by default is that the fields within a row are combined with AND and then rows are combined with OR. You can see what is done by running your subsearch and then adding | format to the end and it will show you the SPL that it will generate. Additionally, the format command allows you to change the AND to OR or the OR to AND if you like, by passing the appropriate arguments. Check it out:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

0 Karma

genesiusj
Builder

@woodcock ,
I want to thank you for your reply. I will check into later this afternoon. I'm prepping for a meeting.
Thanks and God bless,
Genesius

genesiusj
Builder

@woodcock
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to thanks people and close.
Using | format and the supplied link have been a great education.

Apologies for the delay.
Thanks and God bless,
Genesius

woodcock
Esteemed Legend

Be sure to come back and click Accept to close the question and UpVote and useful answers or comments.

0 Karma

genesiusj
Builder

@woodcock
Got it. Done.
I saw the Accept button over my response and thought I would be accepting mine and not yours. Thanks and God bless,
Genesius

somesoni2
Revered Legend

It should work with OR (your just need to ensure that proper brackets are placed so that your logic is correct. Your second subsearch is just returning the value (because of dollar sign), so your search becomes this

search index ="events"
                 AND source="log" 
                 AND (user="$userId_tok$"
                   OR ("address_value_returned_from_subsearch")

That is intentional right?

0 Karma

genesiusj
Builder

@somesoni2
Yes. Don't forget the trailing ).

AND (user="$userId_tok$"
OR ("address_value_returned_from_subsearch"))

Thanks and God bless,
Genesius

0 Karma

genesiusj
Builder

@somesoni2
Also, here is the error message.

Error in 'SearchParser': Subsearches are only valid as arguments to commands.

Thanks and God bless,
Genesius

0 Karma

somesoni2
Revered Legend

What's your full search?

0 Karma

genesiusj
Builder

@somesoni2
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to thanks people and close.
Apologies for the delay.
Thanks and God bless,
Genesius

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...