Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pipe the results of a search containing host names to a new search?

peterdawood
New Member
‎10-26-2015 12:31 PM

A noob here, but I have a need that I cannot seem to figure out.

Due to some internal politics that are slow in getting resolved, I cannot get them to create an index by server OS or by AD OU. I am trying to filter on Windows Servers. I need to understand how to take a search that returns host names and then pipe them to a search for, say an EventID. The search that I start with is 

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎10-26-2015 12:59 PM

Try something like this. Basically use the subsearch to get host names and use those host name as filter in main/base search

..your base search like index=ucs...  [search (index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host | table host] ..other filters like EventID="Something"
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-26-2015 12:50 PM

Hi peterdawood,

you can start with this search, where you add all additional fields to the base search:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* EventID=* | deduce host

or you filter after the next | which will be not as efficient as the first search and you could also miss some events that does not contain host but contain EventID because the base search only searches for host:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | deduce host | search EventID=* | do more Splunk> Fu

And here is a freebie, read the slides and learn much about search efficiency: http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_...

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...