Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pipe the results of a search containing host names to a new search?

peterdawood
New Member
‎10-26-2015 12:31 PM

A noob here, but I have a need that I cannot seem to figure out.

Due to some internal politics that are slow in getting resolved, I cannot get them to create an index by server OS or by AD OU. I am trying to filter on Windows Servers. I need to understand how to take a search that returns host names and then pipe them to a search for, say an EventID. The search that I start with is 

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎10-26-2015 12:59 PM

Try something like this. Basically use the subsearch to get host names and use those host name as filter in main/base search

..your base search like index=ucs...  [search (index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host | table host] ..other filters like EventID="Something"
0 Karma
Reply

MuS
Legend
‎10-26-2015 12:50 PM

Hi peterdawood,

you can start with this search, where you add all additional fields to the base search:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* EventID=* | deduce host

or you filter after the next | which will be not as efficient as the first search and you could also miss some events that does not contain host but contain EventID because the base search only searches for host:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | deduce host | search EventID=* | do more Splunk> Fu

And here is a freebie, read the slides and learn much about search efficiency: http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_...

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...