Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to concat all rows in a single field able and use the result in another "search port IN"

vsasdao
Explorer
‎01-22-2021 04:11 AM

In my Search 1, it will list all unique port numbers associated with a certain IP address, i.e. 1.2.3.4

"MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<ipport>.*?) " | dedup ipport | table ipport | table ipport



And then I'd like to concatenate those ports into one long string delimitated with "," that is, "57432, 57453,57198" and finally this concatenated string will be used in another search, i.e 

"https_client-init <HTTP_REQUEST>: " | rex "2.3.4.5:(?<port>.*?) " | search port IN([search "MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<ipport>.*?) " | dedup ipport | table ipport | table ipport])

 

It will be really appreciated if someone could shed the light of how it can be solved. thanks in advance!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 04:22 AM

Hi @vsasdao,

Please try below query;

"https_client-init <HTTP_REQUEST>: " | rex "2.3.4.5:(?<port>.*?) " | search  [search "MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<port>.*?) " | dedup port | fields port]

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

vsasdao
Explorer
‎01-22-2021 09:16 AM

it works well. Can you explain a bit how you've fixed it?

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-23-2021 05:23 AM

Great!

Subsearches formats the results into a single linear search string. You can this string by running the subsearch by adding "| format" command at the end. I changed field name to port to create suitable search string from subsearch.

You can find more detail in below doc.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Search/Changetheformatofsubsearchresults

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 04:22 AM

Hi @vsasdao,

Please try below query;

"https_client-init <HTTP_REQUEST>: " | rex "2.3.4.5:(?<port>.*?) " | search  [search "MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<port>.*?) " | dedup port | fields port]

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top