Splunk Search

Add events mid search

Bulluk
Path Finder

Is it possible to recover events that I've filtered out in a search, ie (and I know this is a daft example but it's good for simplicity):

sourcetype=MySource | search events older that 10 days | do some stuff with those old event | bring back all the events from sourcetype=MySource | do some stuff with all the events

thanks in advance

Tags (1)
0 Karma
1 Solution

Drainy
Champion

What are you trying to do?

I ask because if you just bring back all the original events then surely you won't have anything useful from doing the initial filtering? I suppose if you threw some eval magic in to create new fields it might be worth something.
Anyway I guess you could do this;

sourcetype=bob | where something=that | append [search sourcetype=bob] 

will bring back all your original events and append to your current result set

View solution in original post

Drainy
Champion

Best practice is to do as wide a search as possible and then keep all filtering actions to the postprocess

0 Karma

Drainy
Champion

What are you trying to do?

I ask because if you just bring back all the original events then surely you won't have anything useful from doing the initial filtering? I suppose if you threw some eval magic in to create new fields it might be worth something.
Anyway I guess you could do this;

sourcetype=bob | where something=that | append [search sourcetype=bob] 

will bring back all your original events and append to your current result set

Drainy
Champion

Glad you've got it working now! 🙂

0 Karma

Bulluk
Path Finder

I feel like a total muppet!

For some reason my search spawns 3 subsearches in the jobs view. The panel on my dashboard stays blank until all 3 have completed their work. Basically I was being impatient, if I leave it for a minute (I'm on a dev box so it takes a while) the result pops up.

I'll be giving the points to Draineh as the append command was the answer I was looking for.

Thanks!

0 Karma

Bulluk
Path Finder

Stranger still, despite getting the error above the number of events returned in the job monitor suggests that the append statement is working as it shows ~40000 events

0 Karma

Bulluk
Path Finder

Incidentally, append works fine via the search app's gui. My filtered search piped to stats count returns ~500 events, with append it returns ~40000. The problem seems to be running subsearchs in a postprocess

0 Karma

Bulluk
Path Finder

if I put

stats count

into the postProcess search I get a value, if I put

append [search sourcetype=iis] | stats count

the chart is completely blank. I've had a look at the job (I'm on v4.2.4) and I get the following error (I'm running with an admin account)

SearchException: Search operation 'subsearch' is unknown. You might not have permission to run this operation.

0 Karma

Drainy
Champion

Interesting, I might be missing something. You did it using the synax | append [search sourcetype=iis] ? If you run that search and go to the search inspector (if its pre 4.3 its in actions and inspect search job) does it have any counts listed for the command.append component?

0 Karma

Bulluk
Path Finder

transactions being displayed if I only search on:

eval etime=_time | fields cs_username cs_uri_stem etime | transaction cs_username

So my work around was to simply restart from the beginning but then use the variables from the first search to filter the results of the second.

I've just tried using append to add soourcetype=iis back in but I get no results at all....

0 Karma

Bulluk
Path Finder

It's a bit tricky to explain in the number of characters I have to type in. I'm working with iis logs. At the top of the page a user can enter a url. The initial search performs a few rex searches to extract and populate variables for the uri_stem and uri_query. I then perform a where search to filter results to just events that match the url that the user entered. this is passed to the PostProcess searches to make some simple graphs with. My problem search was discussed here http://splunk-base.splunk.com/answers/37766/transaction-with-mvexpand. Unfortunately _serial is always null despite....

0 Karma

Bulluk
Path Finder

The above is the short version to a longer problem. I have a HiddenSearch which passes events to HiddenPostProceses further down the page. This works for all searches except one where the first search contains useful information but filters out events that I need in the second search. I'm trying to avoid using a whole new search as I want all searches to inherit from a timerange picker that's associated with the initial HiddenSearch

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...