Splunk Search

How would I use multiple values from a subsearch as input to the main search?

mdwasimkhan
Engager

Hi All,

I am looking for a query which will accept multiple value subsearch output as a input of main serach, See below :

index=myIndex UniqueReqId in [ search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId ]

This sub search "search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId" will return multiple value like below :

UniqueReqId Total user
002cc2c7-b1e4-49de-bbd3-caa6c2e741e3 1
00426627-98cf-4dd5-97b6-af4cde045286 1
00567c49-5638-4a0c-a803-04d0b3662aac 1
006ef351-33b8-40ed-b320-28473ea1f481 1
00caf75c-deed-4581-ab5a-04929b1a943d 1
00ff69ef-d57c-43ad-9b64-38cf39b94f6f 1
01395957-648b-4e9a-ac76-7fa68f833fce 1
01e82329-3d58-4d11-bdca-88100a2dc85c 1
02084578-869a-4ce5-bc20-b86c3fea34d2 1
021272cb-c043-483f-8512-244210471c63 1
02191c34-b485-4a6d-9d77-53f0a8e7875c 1
0228ff59-27f8-47e1-a38f-88acdb94fb22 1
028177b6-f2f3-4c53-948e-558d51287d43 1
02be90c8-5737-4f89-a204-2a3ea5f79047 1
02df9ecb-29bf-4aad-b479-26fde9b6ca94 1
02e2ef7f-ea55-4311-b724-c06fe5ab416d 1
02e7bacd-4579-44c6-b4c2-be0a4fbf4566 1
02eb4faa-39c1-431d-9590-a1fabc7eecd8 1
031229db-d4ef-4783-b649-9a1e738d495a 1
03216368-6d8e-42e9-8fb1-e2ace7794f4c 1

Now whatever the value we are getting in column UniqueReqId, we need to use each value one by one to the main query in UniqueReqId=EachValue.

Like Sample example :

index=myIndex UniqueReqId IN [002cc2c7-b1e4-49de-bbd3-caa6c2e741e3,00426627-98cf-4dd5-97b6-af4cde045286,00426627-98cf-4dd5-97b6-af4cde0452dsd,etc]

I searched a lot but did not get the solution for my requirement however got the solution for single value subsearch output as input for main search.

Thanks,
Wasim

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

View solution in original post

woodcock
Esteemed Legend

Like this:

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

mdwasimkhan
Engager

Yes, This is what i was looking for.

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi mdwasimkhan,
If I correctly understood, try something like this

index=myIndex MyLogger [ search index=myIndex UniqueReqId | eval UniqueReqId=upper(UniqueReqId) | dedup UniqueReqId | fields UniqueReqId ]
| stats count as "Total user" by UniqueReqId

In this way you have the event count for each user.
beware that UniqueReqId field must have the same name in both the searches.

Bye.
Giuseppe

0 Karma

mdwasimkhan
Engager

I downvoted this post because below is the expected query :

index=myindex [ search index=myindex mylogger | dedup uniquereqid | fields uniquereqid ]

thanks

0 Karma

mdwasimkhan
Engager

Actually I have 2 below logger, In that common field is UniqueReqId only.

LOGGER([UniqueReqId]+[MyLogger])
LOGGER([UniqueReqId]+[userName]+[Action])

So my requirement is i need to find out the UniqueReqId which contains MyLogger.[ This i want to search in sub-search block.]

once i will get the
all possible UniqueReqId in sub-search then We need to find out the userName who is using action=myAction and UniqueReqId=[Multiple UniqueReqId from subsearch].
So fetch the userName from all possible UniqueReqId got from subsearch where action=myAction.

We have multiple actions, so action=MyAction and UniqueReqId=(02191c34-b485,0228ff59,02be90c8,02e2ef7f etc)

MyLogger is not require here, because it does not apear in other logger.

Below command is working fine for me. Thanks Giuseppe 🙂

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...