Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use subsearch results as values in a different field of parent search?

frbuser
Path Finder
‎08-14-2019 07:41 AM

Hello,

I am working with Windows event logs in Splunk. Specifically, process execution (EventCode 4688) logs.

I have a subsearch looking for specific events and I am trying to return the New_Process_IDs of those results and use it as the Creator_Process_IDs of the parent search.

Subsearch

index=windows_event_logs Creator_Process_Name="C:\\Program Files\\Microsoft Office\\Office16\\OUTLOOK.EXE" | return $New_Process_ID

Parent Search

index=windows_event_logs Creator_Process_ID=$New_Process_ID

How do you return a list of values from a subsearch and use it as criteria for a different field in the parent search?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

traxxasbreaker
Communicator
‎08-14-2019 07:56 AM

An easy way is to rename the field within the subsearch to match what's in your parent search, similar to this:
index=windows_event_logs [search index=windows_event_logs Creator_Process_Name="C:\\ProgramFiles\\Microsoft Office\\Office16\\OUTLOOK.EXE" | rename New_Process_ID AS Creator_Process_ID | fields Creator_Process_ID]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

traxxasbreaker
Communicator
‎08-14-2019 07:56 AM

An easy way is to rename the field within the subsearch to match what's in your parent search, similar to this:
index=windows_event_logs [search index=windows_event_logs Creator_Process_Name="C:\\ProgramFiles\\Microsoft Office\\Office16\\OUTLOOK.EXE" | rename New_Process_ID AS Creator_Process_ID | fields Creator_Process_ID]

0 Karma
Reply
Solved! Jump to solution

frbuser
Path Finder
‎08-14-2019 08:00 AM

Creator_Process_ID exists as a field already in both searches.

0 Karma
Reply
Solved! Jump to solution

traxxasbreaker
Communicator
‎08-14-2019 08:06 AM

Makes sense, just rename within your subsearch to override the existing value of Creator_Process_ID with the field you want to match up to the parent search's Creator_Process_ID instead. This way it will match up with the values in the parent search.

For a more general example, let's say you wanted to use values of field foo in your child search as criteria for filtering field bar in your parent search. You would need to rename foo in your subsearch to bar so it would match up to the field bar in your parent search.

0 Karma
Reply
Solved! Jump to solution

frbuser
Path Finder
‎08-14-2019 08:29 AM

Seems like this worked. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...