Splunk Search

How would I use multiple values from a subsearch as input to the main search?

mdwasimkhan
Engager

Hi All,

I am looking for a query which will accept multiple value subsearch output as a input of main serach, See below :

index=myIndex UniqueReqId in [ search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId ]

This sub search "search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId" will return multiple value like below :

UniqueReqId Total user
002cc2c7-b1e4-49de-bbd3-caa6c2e741e3 1
00426627-98cf-4dd5-97b6-af4cde045286 1
00567c49-5638-4a0c-a803-04d0b3662aac 1
006ef351-33b8-40ed-b320-28473ea1f481 1
00caf75c-deed-4581-ab5a-04929b1a943d 1
00ff69ef-d57c-43ad-9b64-38cf39b94f6f 1
01395957-648b-4e9a-ac76-7fa68f833fce 1
01e82329-3d58-4d11-bdca-88100a2dc85c 1
02084578-869a-4ce5-bc20-b86c3fea34d2 1
021272cb-c043-483f-8512-244210471c63 1
02191c34-b485-4a6d-9d77-53f0a8e7875c 1
0228ff59-27f8-47e1-a38f-88acdb94fb22 1
028177b6-f2f3-4c53-948e-558d51287d43 1
02be90c8-5737-4f89-a204-2a3ea5f79047 1
02df9ecb-29bf-4aad-b479-26fde9b6ca94 1
02e2ef7f-ea55-4311-b724-c06fe5ab416d 1
02e7bacd-4579-44c6-b4c2-be0a4fbf4566 1
02eb4faa-39c1-431d-9590-a1fabc7eecd8 1
031229db-d4ef-4783-b649-9a1e738d495a 1
03216368-6d8e-42e9-8fb1-e2ace7794f4c 1

Now whatever the value we are getting in column UniqueReqId, we need to use each value one by one to the main query in UniqueReqId=EachValue.

Like Sample example :

index=myIndex UniqueReqId IN [002cc2c7-b1e4-49de-bbd3-caa6c2e741e3,00426627-98cf-4dd5-97b6-af4cde045286,00426627-98cf-4dd5-97b6-af4cde0452dsd,etc]

I searched a lot but did not get the solution for my requirement however got the solution for single value subsearch output as input for main search.

Thanks,
Wasim

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

View solution in original post

woodcock
Esteemed Legend

Like this:

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

mdwasimkhan
Engager

Yes, This is what i was looking for.

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi mdwasimkhan,
If I correctly understood, try something like this

index=myIndex MyLogger [ search index=myIndex UniqueReqId | eval UniqueReqId=upper(UniqueReqId) | dedup UniqueReqId | fields UniqueReqId ]
| stats count as "Total user" by UniqueReqId

In this way you have the event count for each user.
beware that UniqueReqId field must have the same name in both the searches.

Bye.
Giuseppe

0 Karma

mdwasimkhan
Engager

I downvoted this post because below is the expected query :

index=myindex [ search index=myindex mylogger | dedup uniquereqid | fields uniquereqid ]

thanks

0 Karma

mdwasimkhan
Engager

Actually I have 2 below logger, In that common field is UniqueReqId only.

LOGGER([UniqueReqId]+[MyLogger])
LOGGER([UniqueReqId]+[userName]+[Action])

So my requirement is i need to find out the UniqueReqId which contains MyLogger.[ This i want to search in sub-search block.]

once i will get the
all possible UniqueReqId in sub-search then We need to find out the userName who is using action=myAction and UniqueReqId=[Multiple UniqueReqId from subsearch].
So fetch the userName from all possible UniqueReqId got from subsearch where action=myAction.

We have multiple actions, so action=MyAction and UniqueReqId=(02191c34-b485,0228ff59,02be90c8,02e2ef7f etc)

MyLogger is not require here, because it does not apear in other logger.

Below command is working fine for me. Thanks Giuseppe 🙂

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...