Splunk Search

How do we invoke a sub search with parameters from the parent search?

danielbb
Motivator

We have a parent search that looks like -

index=os_linux * 
| eval length = len(process) 
| where length = 7 
| search process!= <conditions>
| dedup process dest 
| table process dest cmd_syslog2 _raw

Instead of the table we would like to issue a sub search and pass in the dest and process as parameters.

The sub-search is -

index=os_linux 
| eval length = len(process) 
| where length = 7 
| search dest=<dest> process=<proces> 
| dedup _raw 
| table process dest _time cmd_syslog2 _raw 
| sort +_time

I hope it makes sense ...

Tags (2)
0 Karma

danielbb
Motivator

Hi @richgalloway,

The following works for us -

index=os_linux 
   [ search index=os_linux | eval length = len(process) | where length = 7 | fields dest, process | rename dest as search |  format ]
 | dedup _raw
 | sort + _time
 | table process dest _time cmd_syslog2 _raw

By adding | rename dest as search the generated sub-search is in pairs of process and dest, otherwise it generated only the process field, which is causing more results.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think we have a terminology problem. A "subsearch" is a search within a search. Subsearches always execute first so it's not possible to pass anything from the parent to a subsearch. You can, however, pass data from subsearch to parent. Let's turn your query around and see if it does what you want.

index=os_linux 
  [ search index=os_linux | eval length = len(process) | where length = 7 | fields dest, process | format ]
| dedup _raw
| sort + _time
| table process dest _time cmd_syslog2 _raw

The subsearch returns a string like ((dest=foo process=barbarb) OR (dest=abc process=xyzzyzx)), which is then processed in the parent search and should produce the desired results.

I'm not entirely certain the subsearch is needed. Have you tried the simple version of the search?

index=os_linux 
| eval length = len(process) 
| where length = 7 
| dedup _raw 
| sort + _time
| table process dest _time cmd_syslog2 _raw 
---
If this reply helps you, Karma would be appreciated.

danielbb
Motivator

@richgalloway, it seems the subsearch hits some limitations. If that's the case, where would they be reported? I don't see them via the Inspect Job...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, subsearches are limited to 50,000 events. There are settings in limits.conf to change them, but usually it's better to refine the search. You can try dedup to reduce the number of events returned from the subsearch.
Have you tried the second search I offered?

---
If this reply helps you, Karma would be appreciated.
0 Karma

danielbb
Motivator

Great, but if we hit the limit, where is it being reported?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It should be in the search log.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...