Re: filter on results of subsearch for the second ...

spicy · ‎05-04-2021

Hi

I am running into a problem when it come to subsearches. I want to use results from the first search to plug into the second search. The uid/keyvalue ties multiple sourcetypes together, with each sourcetype comes similar and unique information. It would be great to correlate this info by a table or stats.

FYI

Both sourctypes have an uid field

dns sourcetype has the contains query field
conn sourcetype has the other fields wanting display

index="main" sourcetype=conn uid=keyvalue

[ search index="main" sourcetype=dns
| rename uid as keyvalue
| table keyvalue]
| fields proto, query, id.orig_h
| table uid, query, proto, id.orig_h

ragedsparrow · ‎05-04-2021

Have you looked into a `join` rather than a subsearch? This is useful especially when you want to utilize data from both searches, correlated by a common field. Subsearches tend to be more useful to filter the results of the main search based on the field values from the subsearch.

Reference Documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

spicy · ‎05-05-2021

Appreciate the help!

I worked on join too, but still no luck. The biggest problem I think is using the tabled uid field from query1 then using it as a lookup in query2 (without creating a lookup). if you have any suggested spl for me to try that would be great.

overview of the goal:

Sourctype DNS fields Sourcetype Conn
uid, query uid, src_ip, dest_ip

if (dnsuid = connuid)
then table uid, src_ip, dest_ip, query

filter on results of subsearch for the second search

splunkd

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!