Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to bring the deepest data in multiple subsearch

tehong
Explorer
‎04-25-2022 10:43 PM

Hi Splunk experts!!

Please tell me about how to bring the deepest data in multiple subsearches. Of course, if there is another way to do it than subsearch, we can use that method as well.

I understand that when using multiple subsearches, each subsearch is just passing field results to the top subsearch.
But can the data of any field in the first subsearch also be passed to the next subsearch? (same for the second to third subsearch)

I am thinking that this is difficult with subsearch because subsearch just passes fields in AND.

I believe it can be done with join or stats. But how should I do it?

 

index=cmdb sourcetype=crm host="fwd-splunk-fwd01a"
    LogicalName="new_contract"
    (Attributes.KeyValuePairOfstringanyType{}.new_item_name="DC_Connection" OR Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name="*DC*") 
    [| search index=cmdb sourcetype=crm host="fwd-splunk-fwd01a"
        LogicalName="new_circuit"
        FormattedValues.KeyValuePairOfstringstring{}.statecode="active"
        FormattedValues.KeyValuePairOfstringstring{}.statuscode="active"
        FormattedValues.KeyValuePairOfstringstring{}.new_circuit_status="contracted" 
        [| search index=cmdb sourcetype=crm host="fwd-splunk-fwd01a"
            LogicalName="new_circuit_authority"
            FormattedValues.KeyValuePairOfstringstring{}.statecode="active"
            FormattedValues.KeyValuePairOfstringstring{}.statuscode="active"
            FormattedValues.KeyValuePairOfstringstring{}.new_trouble_mail_receive_flag="yes"
            FormattedValues.KeyValuePairOfstringstring{}.new_valid_flag="yes" 
            [| search index=cmdb sourcetype=crm host="fwd-splunk-fwd01a"
                LogicalName="new_contactpoint"
                FormattedValues.KeyValuePairOfstringstring{}.statecode="active"
                FormattedValues.KeyValuePairOfstringstring{}.statuscode="active" Attributes.KeyValuePairOfstringanyType{}.new_cp_code="CP30058460" 
            | fields Attributes.KeyValuePairOfstringanyType{}.new_contactpointid 
            | stats latest(*) AS * by Attributes.KeyValuePairOfstringanyType{}.new_contactpointid 
            | rename Attributes.KeyValuePairOfstringanyType{}.new_contactpointid AS Attributes.KeyValuePairOfstringanyType{}.new_contactpoint.Id 
            | format
                ] 
        | fields Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name 
        | stats latest by Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name 
        | rename Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name AS Attributes.KeyValuePairOfstringanyType{}.new_circuit_code 
        | format
            ] 
    | stats latest by Attributes.KeyValuePairOfstringanyType{}.new_circuit_code 
    | fields Attributes.KeyValuePairOfstringanyType{}.new_circuit_code 
    | rename Attributes.KeyValuePairOfstringanyType{}.new_circuit_code AS Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name
        ] 
| fields Attributes.KeyValuePairOfstringanyType{}.new_circuit.Id
| stats latest by Attributes.KeyValuePairOfstringanyType{}.new_circuit.Id

 

Screen Shot 2022-04-26 at 14.37.36.png

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2022 11:32 PM

To be absolutely honest with you, whenever I see such nested subsearches I get the impression that someone was trying to "think SQL" and implement it in Splunk. It doesn't work this way (or at least not very efficiently).

So please tell us what you want to achieve (not how you're trying to do it), maybe we'll think of something better 🙂

And tell us what data you have (some examples, anonymized/obfuscated if need be, would be helpful).

EDIT: Oh, and don't use conditions like

Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name="*DC*"

in your initial searches. Since they contain wildcard at the beginning of your search term, Splunk will have to literarily scan all events from the defined timerange to find your matching events since it cannot use its internal indexes to match them.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-25-2022 10:58 PM

@tehong - I did not understand why it's stats latest by, generally, it's like stats latest(<some field>) by.

So, I could not figure out exactly your goal.

But you can try using stats with an eval statement. - https://docs.splunk.com/Documentation/Splunk/latest/Search/Usestatswithevalexpressionsandfunctions

Based con conditions you have added in all subsearches, I'm guessing evals with stats should solve your problem. You may need additional evals after the stats to calculate some of the fields.

But this is where I would start.

--------
I hope this helps!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...