Solved: How to add values from search to subsearch results...

Splunkey_ · ‎01-06-2016

I am looking for some help with a search. Below is an alert that runs every hour. It looks for some stuff in a index called firewalls, then uses one of the columns from the results there to do a search on an index called proxy_logs, and then output a nice table with the data.

This all works great, but I want that table to also have two fields from the first firewall index search in that table that is from the proxy index. I haven't been able to find a way to carry info or a variable over to the second search. Any help would be appreciated:

index=firewalls action=accept (src=192.168.1.3 OR src=192.168.1.101) | map search="search index=proxy_logs $policy_name$ earliest=-10m http_response=200" | eval full_uri=uri_scheme."://".host."".uri_path.":".uri_port | table _time host category ip username full_uri <want value from firewalls index search here> <and here>

somesoni2 · ‎01-08-2016

Try something like this

index=firewalls action=accept (src=192.168.1.3 OR src=192.168.1.101) | table policy_name field1_to_show field2_to_show | map search="search index=proxy_logs $policy_name$ earliest=-10m http_response=200" | eval full_uri=uri_scheme."://".host."".uri_path.":".uri_port | eval field1_to_show="$field1_to_show$" | eval field2_to_show="$field2_to_show$" | table _time host category ip username full_uri field1_to_show field2_to_show

View solution in original post

somesoni2 · ‎01-08-2016

Try something like this

index=firewalls action=accept (src=192.168.1.3 OR src=192.168.1.101) | table policy_name field1_to_show field2_to_show | map search="search index=proxy_logs $policy_name$ earliest=-10m http_response=200" | eval full_uri=uri_scheme."://".host."".uri_path.":".uri_port | eval field1_to_show="$field1_to_show$" | eval field2_to_show="$field2_to_show$" | table _time host category ip username full_uri field1_to_show field2_to_show

Splunkey_ · ‎01-08-2016

Unfortunately that didn't work. While that adds the column header to the output table, that field remains empty

somesoni2 · ‎01-08-2016

Do you get the file values populated if you run just this??

index=firewalls action=accept (src=192.168.1.3 OR src=192.168.1.101) | table policy_name field1_to_show field2_to_show

Splunkey_ · ‎01-08-2016

yes sir, that works fine to show the three fields. But the remaining two fields that are no sent directly to the search are lost.

somesoni2 · ‎01-08-2016

Strange, I tested similar query and worked fine (try this run anywhere sample)

| gentimes start=-1 | eval policy_name="text1" | eval field1_to_show=starthuman | eval field2_to_show=endhuman | table policy_name field1_to_show field2_to_show | map search="search index=_internal | head 1 | eval field1_to_show="$field1_to_show$" | eval field2_to_show="$field2_to_show$" | table _time host field1_to_show field2_to_show"

Would you mind providing the query that you're trying?

Splunkey_ · ‎01-08-2016

That works perfectly and looking at you statement further it does what I need. I found that the issues was caused by a eval statement used to display results in the second index.
The "'s in this statement were the issue. I remove this statement in place of a field from the first index to solve my issue
eval full_uri=cs_uri_scheme."://".cs_host."".cs_uri_path.":".cs_uri_port

jeffland · ‎01-07-2016

The map command doesn't work like that, the original search is "lost" in the process. But you have several options to add the required fields to your table, starting with the simplest which would be appending something to your search:

index=firewalls action=accept (src=192.168.1.3 OR src=192.168.1.101) | map search="search index=proxy_logs $policy_name$ earliest=-10m http_response=200" | eval full_uri=uri_scheme."://".host."".uri_path.":".uri_port | table _time host category ip username full_uri | append [search index=firewalls search_for_values_you_want]

You can also append a search within your mapped search:

index=firewalls action=accept (src=192.168.1.3 OR src=192.168.1.101) | map search="search index=proxy_logs $policy_name$ earliest=-10m http_response=200 | append [search index=firewalls search_for_values_you_want]" | eval full_uri=uri_scheme."://".host."".uri_path.":".uri_port | table _time host category ip username full_uri some_more_fields

If you don't want to append, you could also use join (if the two sources have at least one common field).

Splunkey_ · ‎01-07-2016

Unfortunately neither of those will get the results I need. The two indexes don't share any common fields so I can't join on the two. The two values in the first index that go along with $policy_name$ are non-unique integers between 1-5 so there isn't a any way to tie back that specific $policy_name$ to the values I want in a append search.

The search results from the first index would results in a event with "policy_name=unique_policy_name_bob ranking=1 score=3" and what is being passed to map search is just policy_name. Those other two fields ranking and score are non-unique fields from that event I want in the results table for that search.

jeffland · ‎01-08-2016

Well, then what would you expect to see in the two rows you want? Where should that info come from if it's not correlated to the results from your mapped search?

Splunkey_ · ‎01-08-2016

The data from the first index can't be correlated, it would need to be carried over.
ex, results from the first index would would policyA, fieldB, fieldC. PolicyA is the only field being searched on in index two, but for each results from index2 I want fieldB and fieldC and from the first index

How to add values from search to subsearch results?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!