Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use search results to drive secondary search?

lennys26
Communicator
‎01-19-2017 01:56 PM

Below is a log set example:

[Jan 19 09:35:00.00] VERBOSE[11111]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:10.00] VERBOSE[22222]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:20.00] VERBOSE[11111]: bar, bar, "some text")
[Jan 19 09:35:30.00] VERBOSE[22222]: bar, bar, "some different text")

I have REGEX'd the following fields:
- x-cid: AAAAA
- PID: 11111
- PID: 22222

Using the above log set example, I want to search for AAAAA and return all 4 log events.
Effectively, the query will first search for AAAAA, capture the PIDs, then do a sub search for the PIDs (both) and return the full results.

I have been playing with append, appendpipe, join... but can't figure out the subsearch.

Thanks in advance for the guidance.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-19-2017 02:47 PM

Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this

index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search

Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this

index=foo sourcetype=bar ((PID=11111) OR (PID=22222))

And it should fetch all the records that you want.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-19-2017 02:47 PM

Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this

index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search

Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this

index=foo sourcetype=bar ((PID=11111) OR (PID=22222))

And it should fetch all the records that you want.

0 Karma
Reply
Solved! Jump to solution

lennys26
Communicator
‎01-20-2017 01:07 PM

@somesoni2 - Thanks. Subsearching has always been a struggle for me, but that fixed it.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...