Splunk Enterprise Security

subsearch join

jacqu3sy
Path Finder

Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.

index=aaa sourcetype=o365 "*phish URLs*"  
| rename zu as cs_host
| join type=inner cs_host [ | search index=bbb sourcetype="proxy_logs" | fields *] | stats count by cs_host

Appreciate any ideas.

0 Karma
1 Solution

mydog8it
Builder

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host

View solution in original post

0 Karma

wmyersas
Builder

It's legal - but seems to be pointless

You're doing a | join, ostensibly to get more fields, and then immediately throw them all away with a | stats count by

mydog8it
Builder

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host
0 Karma

jacqu3sy
Path Finder

Good spot. Sub search limitations. Its caught me out before and will do again I'm sure! If I switch the query around it works fine. Many thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...