Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add events mid search

Bulluk
Path Finder
‎02-17-2012 03:56 AM

Is it possible to recover events that I've filtered out in a search, ie (and I know this is a daft example but it's good for simplicity):

sourcetype=MySource | search events older that 10 days | do some stuff with those old event | bring back all the events from sourcetype=MySource | do some stuff with all the events

thanks in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎02-17-2012 04:03 AM

What are you trying to do?

I ask because if you just bring back all the original events then surely you won't have anything useful from doing the initial filtering? I suppose if you threw some eval magic in to create new fields it might be worth something.
Anyway I guess you could do this;

sourcetype=bob | where something=that | append [search sourcetype=bob]

will bring back all your original events and append to your current result set

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎02-17-2012 04:03 AM

Best practice is to do as wide a search as possible and then keep all filtering actions to the postprocess

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎02-17-2012 04:03 AM

What are you trying to do?

I ask because if you just bring back all the original events then surely you won't have anything useful from doing the initial filtering? I suppose if you threw some eval magic in to create new fields it might be worth something.
Anyway I guess you could do this;

sourcetype=bob | where something=that | append [search sourcetype=bob]

will bring back all your original events and append to your current result set

Reply
Solved! Jump to solution

Drainy
Champion
‎02-17-2012 06:47 AM

Glad you've got it working now! 🙂

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 05:47 AM

I feel like a total muppet!

For some reason my search spawns 3 subsearches in the jobs view. The panel on my dashboard stays blank until all 3 have completed their work. Basically I was being impatient, if I leave it for a minute (I'm on a dev box so it takes a while) the result pops up.

I'll be giving the points to Draineh as the append command was the answer I was looking for.

Thanks!

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 05:34 AM

Stranger still, despite getting the error above the number of events returned in the job monitor suggests that the append statement is working as it shows ~40000 events

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 05:20 AM

Incidentally, append works fine via the search app's gui. My filtered search piped to stats count returns ~500 events, with append it returns ~40000. The problem seems to be running subsearchs in a postprocess

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 05:18 AM

if I put

stats count

into the postProcess search I get a value, if I put

append [search sourcetype=iis] | stats count

the chart is completely blank. I've had a look at the job (I'm on v4.2.4) and I get the following error (I'm running with an admin account)

SearchException: Search operation 'subsearch' is unknown. You might not have permission to run this operation.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎02-17-2012 04:54 AM

Interesting, I might be missing something. You did it using the synax | append [search sourcetype=iis] ? If you run that search and go to the search inspector (if its pre 4.3 its in actions and inspect search job) does it have any counts listed for the command.append component?

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 04:26 AM

transactions being displayed if I only search on:

eval etime=_time | fields cs_username cs_uri_stem etime | transaction cs_username

So my work around was to simply restart from the beginning but then use the variables from the first search to filter the results of the second.

I've just tried using append to add soourcetype=iis back in but I get no results at all....

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 04:24 AM

It's a bit tricky to explain in the number of characters I have to type in. I'm working with iis logs. At the top of the page a user can enter a url. The initial search performs a few rex searches to extract and populate variables for the uri_stem and uri_query. I then perform a where search to filter results to just events that match the url that the user entered. this is passed to the PostProcess searches to make some simple graphs with. My problem search was discussed here http://splunk-base.splunk.com/answers/37766/transaction-with-mvexpand. Unfortunately _serial is always null despite....

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎02-17-2012 04:00 AM

The above is the short version to a longer problem. I have a HiddenSearch which passes events to HiddenPostProceses further down the page. This works for all searches except one where the first search contains useful information but filters out events that I need in the second search. I'm trying to avoid using a whole new search as I want all searches to inherit from a timerange picker that's associated with the initial HiddenSearch

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...