Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help on subsearch

jip31
Motivator
‎04-12-2019 06:21 AM

Hello

I use the search below
it works fine..... BUT for some host, I cant catch the fields there is in the subsearch
It's strange because if I execute the subsearch index=master-data-lookups sourcetype=":view_splunk_assets" apart, I have results....
So what is the problem please?

index="X" sourcetype="Y" source="Z"  EventCode=6008
| dedup host 
| table _time host EventCode 
| join type=left host 
    [ search index=master-data-lookups sourcetype=":view_splunk_assets" 
    | stats count by HOSTNAME SITE ROOM TOWN CLIENT_USER COUNTRY OS 
    | fields - count 
    | rename HOSTNAME as host] 
| table _time host COUNTRY TOWN SITE ROOM CLIENT_USER OS 
| sort -_time limit=10
Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2019 07:28 AM

Give this a try

(index="X" sourcetype="Y" source="Z"  EventCode=6008) OR (ndex=master-data-lookups sourcetype=":view_splunk_assets" )
| eval host=coalesce(HOSTNAME,host)
| time=if(EventCode="6008",_time,null())
| stats values(sourcetype) as sts max(time) as _time values(SITE) as SITE values(ROOM) as ROOM values(TOWN) as TOWN values(CLIENT_USER) as CLIENT_USER values(COUNTRY) as COUNTRY) values(OS) as OS by host
| where NOT (mvcount(sts)=1 AND sts=":view_splunk_assets")
 | table _time host COUNTRY TOWN SITE ROOM CLIENT_USER OS 
 | sort -_time limit=10
0 Karma
Reply

jip31
Motivator
‎04-13-2019 02:44 AM

hi somesoni
when I launch it it says "mismatch quote or parenthesis"

0 Karma
Reply

jip31
Motivator
‎04-14-2019 11:03 PM

your request works, thanks, but it is very long...
is it possible to accelerate it please?
could you explain me why when I m doing index="x" sourcetype=y source="z" EventCode=6008 on a 30 days period I have 6 events so 6 hosts but when I m doing `index="x" sourcetype=y source="z" EventCode=6008 (Level=1 OR Level=2 OR Level=3)

| dedup host
| table _time host EventCode
| join type=left host
[ search index=master-data-lookups sourcetype="view_splunk_assets"
| stats count by HOSTNAME SITE ROOM TOWN CLIENT_USER COUNTRY OS
| fields - count
| rename HOSTNAME as host]
| table _time host COUNTRY TOWN SITE ROOM CLIENT_USER OS
| sort -_time limit=10`

I have also 6 events on the same period but only 3 events are matching with my CSV file?
Last question : the host list I want to compare is in a csv file
Do I just have to add [| inputlookup host.csv]after (index="X" sourcetype="Y" source="Z" EventCode=6008) OR (ndex=master-data-lookups sourcetype=":view_splunk_assets" )??
Thanks in advance

0 Karma
Reply

dmarling
Builder
‎04-12-2019 06:32 AM

Hi @jip31 , I recognize this query. 🙂 The join is case sensitive so if the data of the HOSTNAME has different case than the host in the other query it won't match. This should fix that if that's the case:

index="X" sourcetype="Y" source="Z" EventCode=6008 
| dedup host 
| eval host=lower(host)
| table _time host EventCode 
| join type=left host 
    [ search index=master-data-lookups sourcetype=":view_splunk_assets" 
    | stats count by HOSTNAME SITE ROOM TOWN CLIENT_USER COUNTRY OS 
    | fields - count 
    | rename HOSTNAME as host
    | eval host=lower(host)] 
| table _time host COUNTRY TOWN SITE ROOM CLIENT_USER OS 
| sort -_time limit=10

If that works, I'll convert this to an answer.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

jip31
Motivator
‎04-13-2019 02:27 AM

hello it doesnt works and its not a case sensitive issue because all the host are uppercase...

0 Karma
Reply

riddhichandaran
Explorer
‎04-12-2019 06:32 AM

@jip31 I think the issue is you are performing left join here so it returns all host of the main search and only returns the host of subsearch which is common with the main search so for the host which is from the main search does not have fields of subsearch

if you want all host with these fields remove type=left

Hope it helps!

0 Karma
Reply

jip31
Motivator
‎04-13-2019 02:39 AM

hi
with this, I have host match well
BUT.....
There is something wrong
when I execute my search I have host which correspond to index="X" sourcetype="Y" source="Z" EventCode=6008 even if for some of them the matching not works (reason why I have opened this topic 😉
but if I delete type=left, these host doenst appear in the result
normally the should appear and match with the csv table....
I dont understand anything...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...