Splunk Search

How do you create a subsearch for two correlated queries?

princeali
Engager

Query One: One that is exclusive of Server4 in Index1 based of the hosts in Index2. I.e. based on the Index2 hosts, I run a query on Index1 and only show the same hosts, Server1–Server3.

Query Two: This one is exclusive of any hosts that are in Index2 when we run a search in Index1. I.e. based on the Index2 hosts I run a query on Index1 and it only shows the host Server4.

P.S. - This is an enterprise class system and the hostnames columns are a moving target and also the hostnames are different fieldnames

Index1
-Server1
-Server2
-Server3
-Server4

Index2
-Server1
-Server2
-Server3

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi princeali,
let me know:

  • do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?
  • do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?

In first case it's easy:

(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3)

In the second case:

(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host])

You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.

In addition, remember that there's a limit of 50,000 to subsearch results.

Bye.
Giuseppe

View solution in original post

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @princeali

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi princeali,
let me know:

  • do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?
  • do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?

In first case it's easy:

(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3)

In the second case:

(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host])

You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.

In addition, remember that there's a limit of 50,000 to subsearch results.

Bye.
Giuseppe

kmaron
Motivator

could you share the two queries?

0 Karma

princeali
Engager

I'm seeking assistance with writing the 2 queries

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...