Splunk Search

How filter results from the outer search in join subsearches?

BradL
Path Finder

I'm trying to monitor a set of hosts that run a batch process, and I want to produce output that dynamically identifies the hosts according to filter key words, then join that list of hosts with subsearches that look for the specific events of interest. For example:

index=Idx filter1 filter2 | stats min(_time) as initial_time by host | convert ctime(first_time) | table host, first_time | join type=left host [ | search index=eng_etm [ index=Idx filter1 filter2 |  stats count by host | table host | return 2000 host ] starttag1 starttag2 | convert ctime(_time) as start_time | table host, start_time | sort 0 host | dedup host ] | join type=left host [| search index=Idx [ index=Idx filter1 filter2 |  stats count by host | table host | return 2000 host ] endtag1 endtag2 | table _time, host | stats min(_time) as end_time by host | convert ctime(end_time) ]

Returns something like this:

host   initial_time      start_time        end_time
1      8/1/16 00:00:00   8/2/16 00:01:00   8/2/16 00:01:21
2      8/1/16 00:00:00   8/2/16 00:01:00   
3      8/1/16 00:00:00      
4      8/1/16 00:00:00   8/2/16 00:01:00   8/2/16 00:01:21

This is actually the output I want, but I don't like having to constantly restate the subsearch in each join statement. Is there a simpler way to write this search to allow the subsearch to get the host list from the outer search?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi BradL,

No, since a sub search is run before the main search there is no way for a sub search to get information back from a main search.

Maybe you should look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to get an idea how it can be done without sub search and its limits or the March session of 2016 virtual .conf here http://wiki.splunk.com/Virtual_.conf

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi BradL,

No, since a sub search is run before the main search there is no way for a sub search to get information back from a main search.

Maybe you should look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to get an idea how it can be done without sub search and its limits or the March session of 2016 virtual .conf here http://wiki.splunk.com/Virtual_.conf

cheers, MuS

BradL
Path Finder

P.S> I worked around this by running the outer query into "outputlookup" creating a temporary file and then reusing the result that way. not nearly as clean or friendly as a single search, but functional.

0 Karma

Runals
Motivator

You could throw it in a macro so that you wouldn't have to retype it over and over. That way at least in your mind you aren't repeating the same subquery(ies) 😃

0 Karma

BradL
Path Finder

@MuS. Ok, thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

@BradL , I converted it to an answer - feel free to accept it if your question was answered - thanks 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...