Solved: How to use subsearch - Splunk Community

Splunk Search

Hi,

please help me to use subsearch,

I have a main search query like

index=A host=B cs_method="GET" cst="XXX" | where isnull(ksid) and isnotnull(i_p) | stats c(_raw) by i_p

result of above query is
i_p c(_raw)
CD 3
CW2 1
DYLA 3
ABC12 7
XYZ31 34
jjjwwgga 39
ngrisoew 40
rtucw 43
Poeyt 15

meaning of the above output is, the above i_p s are not using secuirty check for some ids (each i_p is having their respective number of ids which is not using security check for example i_p of ABC12 for this i_p 7 IDs are not using security check)

I want to take the above i_p and check how many are using securitycheck and how many are not using security check

my output will be like

CD 3 123fgs No 2
1456mk No 1
674hjn Yes 1
453bcd Yes 1

CW2 1
DYLA 3
ABC12 7
XYZ31 34
jjjwwgga 39
ngrisoew 40
rtucw 43
Poeyt 15

means i-p of CD have total 5 sessiosons in that 3 sessions not used securitycheck and 2 used security check

I tired the below query but its not showing the output how i am expected

index=A host=B cs_method="GET" cst="XXX" [search index=A host=B cs_method="GET" cst="XXX" | where isnull(ksid) and isnotnull(i_p) | stats c(_raw) by i_p|table i_p] | eval Usingsecu=if(match(csq, "ksid"), "Yes", "No") | stats count(i_p) as PCount by i_p id Usingsecu |table i_p PCount s Usingsecu

I got output like

CD 2 123fgs No 2
CD 1 1456mk No 1
CD 1 674hjn Yes 1
CD 1 453bcd Yes 1

CW2 1
DYLA 3
ABC12 7
XYZ31 34
jjjwwgga 39
ngrisoew 40
rtucw 43
Poeyt 15

Pl can anyone help me in this

Thanks & Regards

1 Solution

Solution

Hi Patrick,

here is the query which I used

index=iis sourcetype=iis host=ABC cs_method="GET" cs_uri_stem="*mriweb.dll*" i_project!="sample" 
| where isnull(ksid) and isnotnull(i_p)  
| eval UsingSecu=if(match(csq, "ksid"), "Yes", "No")

Thanks

View solution in original post

Solution

Hi Patrick,

here is the query which I used

index=iis sourcetype=iis host=ABC cs_method="GET" cs_uri_stem="*mriweb.dll*" i_project!="sample" 
| where isnull(ksid) and isnotnull(i_p)  
| eval UsingSecu=if(match(csq, "ksid"), "Yes", "No")

Thanks

I'm also interested in the answer to this

markthompson, can you give me an example of the data you have and what you want to get out and I can try to answer your question?

Hi cchitten,
We have 2 different events, listed below;
name=com.**************** value=5
name=threshold.max.com*********** value=200

which are transactioned together, but using that we want to use a subsearch in order to get the threshold max out of that transactioned event and set into a field called Max.

Also, Its something completely new to me so would be useful if you know how for v6.0.5

So you want:

Threshold Value
- 5
Max 200

In that case I dont think you want to use subsearch. I think you want rex such as:

| rex field=_raw "threshold.(?.*)."

This should extract the field you want.

Yeh we have found this solution now, thanks Cchitten, but I was also wondering how you use subsearches in 6.0.5

sorry for delay response, I have done this query which I asked using splunk documentation. Now i am getting results what I expected

Thank you

Hi @Laya123

Can you please post your final search that actually solved your issue? Otherwise, this post is just going to float on Answers forever without a real solution. Thanks!

Patrick

Can you write a simpler example? With less "sdfsdfas4235q235" and more "a1,a2,b1,b2,etc".

Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...