Splunk Enterprise Security

subsearch join

jacqu3sy
Path Finder

Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.

index=aaa sourcetype=o365 "*phish URLs*"  
| rename zu as cs_host
| join type=inner cs_host [ | search index=bbb sourcetype="proxy_logs" | fields *] | stats count by cs_host

Appreciate any ideas.

0 Karma
1 Solution

mydog8it
Builder

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host

View solution in original post

0 Karma

wmyersas
Builder

It's legal - but seems to be pointless

You're doing a | join, ostensibly to get more fields, and then immediately throw them all away with a | stats count by

mydog8it
Builder

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host
0 Karma

jacqu3sy
Path Finder

Good spot. Sub search limitations. Its caught me out before and will do again I'm sure! If I switch the query around it works fine. Many thanks.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...