Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I pass an event's field value from a subsearch to an eval statement to retrieve another field?

junxianli
Explorer
‎04-14-2015 05:19 PM

How do I pass an event's field value into a subsearch to retrieve another field?

At the moment, I can't use join because the records at the other sourcetype racks up to millions. Due to limitation, the join command will only return a maximum of 50,000 results to perform the join.

I need a direct search, to eval an extra field for each event using a field from the event.

Example of something I am trying,
Placing employeeID, a field from every event of the main search, into subsearch

index=a sourcetype=sta | eval employeeAddress= [index=b sourcetype=stb empID=$employeeID$ | return empAddress]
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-15-2015 09:36 AM

Well if you're trying to get field values out of Search A index=a sourcetype=sta, and you want to use the field values in there to run another search B, and A might run into the millions of rows, then you can't use a subsearch.

I do however think you have your subsearch syntax backwards. The "first" search Splunk runs is always the inner one, and if I'm reading your question right that would be the index=a sourcetype=sta search. Therefore I think your hypothetical subsearch would look like: 

index=b sourcetype=stb [ search index=a sourcetype=sta | rename employeeID as empID | table empID] table empID empAddress]

But again, the inner search will get truncated at 50,000 rows as you say so you can't use subsearches, join, append, etc...

However here's the good news:

1) Just get all the events and let stats sort them out. 

(index=b sourcetype=stb empAddress=* empID=* ) OR (index=a sourcetype=sta employeeID=*) | eval empID=if(isnotnull(employeeID),employeeId,empID) | stats values(empAddress) by empID

2) If the search above seems to slow (because it gets many events off disk), then just run it once, or maybe once a day/week, to put the employeeID to EmpAddress mapping in a file based lookup.

Then you'll be able to run very efficient lookups to go from ID to address for your searches going forward.

Basic idea is same as #1, except you tack something like | outputlookup employeeAddresses on the end.

further reading about lookups -

1) http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Useexternalfieldlookups

2) http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-15-2015 09:36 AM

Well if you're trying to get field values out of Search A index=a sourcetype=sta, and you want to use the field values in there to run another search B, and A might run into the millions of rows, then you can't use a subsearch.

I do however think you have your subsearch syntax backwards. The "first" search Splunk runs is always the inner one, and if I'm reading your question right that would be the index=a sourcetype=sta search. Therefore I think your hypothetical subsearch would look like: 

index=b sourcetype=stb [ search index=a sourcetype=sta | rename employeeID as empID | table empID] table empID empAddress]

But again, the inner search will get truncated at 50,000 rows as you say so you can't use subsearches, join, append, etc...

However here's the good news:

1) Just get all the events and let stats sort them out. 

(index=b sourcetype=stb empAddress=* empID=* ) OR (index=a sourcetype=sta employeeID=*) | eval empID=if(isnotnull(employeeID),employeeId,empID) | stats values(empAddress) by empID

2) If the search above seems to slow (because it gets many events off disk), then just run it once, or maybe once a day/week, to put the employeeID to EmpAddress mapping in a file based lookup.

Then you'll be able to run very efficient lookups to go from ID to address for your searches going forward.

Basic idea is same as #1, except you tack something like | outputlookup employeeAddresses on the end.

further reading about lookups -

1) http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Useexternalfieldlookups

2) http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-14-2015 06:46 PM

I propose that you use the map command.

index=a sourcetype=sta|stats count by sourcetype |map search="search index=b sourcetype=stb empID=$employeeID$"|table empAddress

Take this as a template: 

index=_internal sourcetype=* user=*|stats count by user sourcetype|map search="search index=_audit user=$user$"|table action
SGF
Reply
Solved! Jump to solution

stefan1988
Path Finder
‎03-28-2017 02:43 AM

Perfect solution! But how could i use the $user$ token in a dashboard? A dashboard thinks it's an input while it is not.

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎10-15-2018 11:35 AM 
$$user$$
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...