Splunk Search

How does subsearch work?

AHEARNJ
Explorer

Is it possible to create a new search based off of results of previous search. My example below I use regex to extract a new column with all my users names that are extracted from User.

index="source1" source="event-source"  rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")" 

My goal would be to then create a new search of each user in another source

[Pesudo EXample] index-source1 source-user-source | search User | Select Id, name, phone, etc.
0 Karma
1 Solution

DalJeanis
Legend

It looks something like this ...

  index-source1 source="user-source" 
       [ search index="source1" source="event-source" 
        | rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")" 
        | table User
       ]
 | table Id, name, phone, etc.

To see why this works, you should look at the format command. It takes all the events from the search and puts them into a field called search in this format

  ( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... )

To see what that looks like, run this...

   index="source1" source="event-source" 
   | rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")" 
   | table User
   | format

...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named search.

(There are also a couple of other possibilities, like using the return verb, but those are what matter for your question here.)

View solution in original post

0 Karma

DalJeanis
Legend

It looks something like this ...

  index-source1 source="user-source" 
       [ search index="source1" source="event-source" 
        | rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")" 
        | table User
       ]
 | table Id, name, phone, etc.

To see why this works, you should look at the format command. It takes all the events from the search and puts them into a field called search in this format

  ( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... )

To see what that looks like, run this...

   index="source1" source="event-source" 
   | rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")" 
   | table User
   | format

...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named search.

(There are also a couple of other possibilities, like using the return verb, but those are what matter for your question here.)

0 Karma

AHEARNJ
Explorer

Thanks for such a detailed response. I really appreciate the explanation.

woodcock
Esteemed Legend

What he said.

0 Karma

woodcock
Esteemed Legend

Yes, this is very common. You do it with a subsearch:
http://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutsubsearches

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...