Splunk Search

How to define multiple search or subsearch to merge all relevant information about alerts?

gszabo
Explorer

Hello,

Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.

Interesting fields in search are  the hosts - as managed_host field and an uniqe alert number.

I do not need alert about all the hosts, so i sort the relevant ones: 

index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |  eval alert=alert_num

Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.)

Index=main alert_num=$alert$

How could be merged this two search in one to generate an alert that will contain all relevant information?

Thanks,

Gabor

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | format]
0 Karma

gszabo
Explorer

Thanks for the reply.

Almost good. the subseach returns the relevant alert numbers, thats okay. 

alert_num search

1 

( ( alert_num="484316" ) OR ( alert_num="484263" ) OR ( alert_num="484243" ) )

 

But the whole query do not shows all the relevant logs with the selected alert numbers, just ones what contains the managed_host field.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The subsearch is just returning alert numbers not managed_host values so the outer search should be searching the whole index for events with these alert_num values.

Has the alert_num field been extracted on the non-managed_hosts?

Can you pick a returned alert number and try just searching you main index with that value to see what you get?

0 Karma

gszabo
Explorer

Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search.

the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]

gszabo
Explorer

Yes, thats works now. Arbor logs without any structure... i love it.

Thank you very much!

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...