Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine results of subsearch into single value

kholleran
Communicator
‎07-30-2010 04:16 PM

Hello,

Right now I have a search that says:

source="syslog" minutesago="20" | APPEND [search host="SERVER" Event="SUCCESSFUL_LOGIN" minutesago=30 | fields Account_Name]

So the first search returns some results. What I want to do is have a single value from the multiple results of the second search. So, the sub search returns results like:

Account1 Account2 Account3

My goals is to have this a single value that is appended to each result of the first search

Result1 - Account1,Account2,Account3 Result2 - Account1,Account2,Account3

Or something along those lines. Basically, when the syslog is triggered, I want to know who logged into SERVER in the last half hour.

I was looking at the mvjoin() function but I am not sure how to pass the search results to it.

Thanks for any help.

Kevin

Tags (3)
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-17-2010 05:28 AM

You can use the join command instead of the append command to enrich the results of the outer search.

Assuming your subsearch yields just one result, and there were no fields in common to tie the searches together, you would write the search as:

source="syslog" minutesago="20"
| eval id = 1
| join id [search host="SERVER" Event="SUCCESSFUL_LOGIN" minutesago=30 | fields Account_Name | eval id = 1]

If you do have an id to tie the rows from the subsearch to the outer search, you can drop the evals and use the field name as the first argument to join.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...