Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditional for Sub Search

kholleran
Communicator
‎07-30-2010 03:15 PM

Hello,

I have a search that looks for a particular set of data. if the data comes from a particular source address, I would like to run a second sub search that builds a list of logged in users from the Windows Event log.

Basically, I have some routers that generate syslog traffic when connected to. These can only be connected to by a single workstation. If for some reason they are connected via another workstation, we need to know and return this in the search. However, we also want to know when the allowed workstation connects and we want to determine who is logged into that workstation.

So something like:

source="syslog" minutesago=20 | if(SRC=ALLOWED_HOST, SUBSEARCH returns successful logins to ALLOWED_HOST in the past 30 minutes)

This is not entirely accurate as someone could be logged in for a longer period of time but it at least gives us more information.

Can anyone give me tips on how to build such a search?

Thanks.

Kevin

Tags (1)
Reply

Lowell
Super Champion
‎08-02-2010 06:36 PM

Conditional searching isn't really supported.

Splunk doesn't provide any kind of procedural language support within a search language. (Perhaps a database analogy would be helpful: Splunk provides SQL-like search language, but does not provide any kind of PL/SQL or T-SQL language around the searches themselves). Generally, this isn't much of a limitation. If you want to do procedural operations that involve splunk searches, then you can pick you own procedural language and easily execute splunk searches using REST API (HTTP calls) or use the splunk CLI search interface (os system calls) from the language of your choosing.

Related stuff:

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...