Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you create a subsearch for two correlated queries?

princeali
Engager
‎11-08-2018 05:56 AM

Query One: One that is exclusive of Server4 in Index1 based of the hosts in Index2. I.e. based on the Index2 hosts, I run a query on Index1 and only show the same hosts, Server1–Server3.

Query Two: This one is exclusive of any hosts that are in Index2 when we run a search in Index1. I.e. based on the Index2 hosts I run a query on Index1 and it only shows the host Server4.

P.S. - This is an enterprise class system and the hostnames columns are a moving target and also the hostnames are different fieldnames

Index1
-Server1
-Server2
-Server3
-Server4

Index2
-Server1
-Server2
-Server3

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2018 12:30 AM

Hi princeali,
let me know:

  • do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?
  • do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?

In first case it's easy:

(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3)

In the second case:

(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host])

You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.

In addition, remember that there's a limit of 50,000 to subsearch results.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

mstjohn_splunk
Splunk Employee
Splunk Employee
‎11-12-2018 12:32 PM

hi @princeali

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2018 12:30 AM

Hi princeali,
let me know:

  • do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?
  • do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?

In first case it's easy:

(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3)

In the second case:

(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host])

You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.

In addition, remember that there's a limit of 50,000 to subsearch results.

Bye.
Giuseppe

Reply
Solved! Jump to solution

kmaron
Motivator
‎11-08-2018 12:09 PM

could you share the two queries?

0 Karma
Reply
Solved! Jump to solution

princeali
Engager
‎11-08-2018 01:38 PM

I'm seeking assistance with writing the 2 queries

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...