Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use search results to drive secondary search?

lennys26
Communicator
‎01-19-2017 01:56 PM

Below is a log set example:

[Jan 19 09:35:00.00] VERBOSE[11111]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:10.00] VERBOSE[22222]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:20.00] VERBOSE[11111]: bar, bar, "some text")
[Jan 19 09:35:30.00] VERBOSE[22222]: bar, bar, "some different text")

I have REGEX'd the following fields:
- x-cid: AAAAA
- PID: 11111
- PID: 22222

Using the above log set example, I want to search for AAAAA and return all 4 log events.
Effectively, the query will first search for AAAAA, capture the PIDs, then do a sub search for the PIDs (both) and return the full results.

I have been playing with append, appendpipe, join... but can't figure out the subsearch.

Thanks in advance for the guidance.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎01-19-2017 02:47 PM

Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this

index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search

Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this

index=foo sourcetype=bar ((PID=11111) OR (PID=22222))

And it should fetch all the records that you want.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎01-19-2017 02:47 PM

Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this

index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search

Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this

index=foo sourcetype=bar ((PID=11111) OR (PID=22222))

And it should fetch all the records that you want.

0 Karma
Reply
Solved! Jump to solution

lennys26
Communicator
‎01-20-2017 01:07 PM

@somesoni2 - Thanks. Subsearching has always been a struggle for me, but that fixed it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...