Solved: Is it possible to run subsearches with tstats alon...

yacht_rock · ‎04-06-2016

Can you do subsearches with tstats alone?

   | tstats values(DM.app) AS App FROM datamodel=DM  BY DM.source [|
    tstats count FROM datamodel=DM WHERE DM.cat="foo" BY DM.dest |
    rename DM.dest AS DM.source |
    table DM.source ]

Source/dest are IPs - I want to get all the dest IPs of a certain server type (foo), then use those dest IPs as the source IPs for my main search.

The error that stops me is DM.source=1.2.3.4 (an IP address will show up here). I'm clearly missing something here and would appreciate any help.

somesoni2 · ‎04-06-2016

Try like this

| tstats values(DM.app) AS App FROM datamodel=DM  BY DM.source | search  [|
     tstats count FROM datamodel=DM WHERE DM.cat="foo" BY DM.dest |
     rename DM.dest AS DM.source |
     table DM.source ]

View solution in original post

somesoni2 · ‎04-06-2016

Try like this

| tstats values(DM.app) AS App FROM datamodel=DM  BY DM.source | search  [|
     tstats count FROM datamodel=DM WHERE DM.cat="foo" BY DM.dest |
     rename DM.dest AS DM.source |
     table DM.source ]

Is it possible to run subsearches with tstats alone?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Is it possible to run subsearches with tstats alone?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability