Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there an effective way of merging 2 splunk sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I merge the below 2 complex queries? Let me know if it's possible in Splunk?
Search 1: -
index=ABC (eventtype=X OR eventtype=Y) log_subtype=DEF field_A="*SQL*"
| stats values(A) as A values(B) as B values(C) as C BY X, Y
| where B > 2
| search NOT [|inputlookup test_1.csv | fields X ]
| search NOT [|inputlookup test_2.csv | fields X ]
| eval name="search_1"
Search 2: -
index=ABC (log_subtype="GHI" OR log_subtype="JKL") (severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44"
| stats values(D) as D values(E) as E values(A) as A BY X, Y
| eval name="search_2"
I succeeded on merging the 2 searches up to some extent (up to stats command)
index=ABC (log_subtype="DEF" OR log_subtype="GHI" OR log_subtype="JKL")(((eventtype=X OR eventtype=Y) field_A="*SQL*") OR ((severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44" ))
| stats values(A) as A values(B) as B values(C) as C values(D) as D BY X, Y
I am not sure on how I can apply where condition and exclusion lookups from search 1 while combining as they are specific to search 1 and do not want to apply those to search 2?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to merge the searches and preserve the condition and exclusions is with append.
index=ABC (eventtype=X OR eventtype=Y) log_subtype=DEF field_A="*SQL*"
| stats values(A) as A values(B) as B values(C) as C BY X, Y
| where B > 2
| search NOT [|inputlookup test_1.csv | fields X ]
| search NOT [|inputlookup test_2.csv | fields X ]
| eval name="search_1"
| append [ search index=ABC (log_subtype="GHI" OR log_subtype="JKL") (severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44"
| stats values(D) as D values(E) as E values(A) as A BY X, Y
| eval name="search_2" ]
| stats values(*) as * by X, Y
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This thread is several months old with an accepted solution so you may get better results by posting a new question.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I masked the IP address in this reply.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to merge the searches and preserve the condition and exclusions is with append.
index=ABC (eventtype=X OR eventtype=Y) log_subtype=DEF field_A="*SQL*"
| stats values(A) as A values(B) as B values(C) as C BY X, Y
| where B > 2
| search NOT [|inputlookup test_1.csv | fields X ]
| search NOT [|inputlookup test_2.csv | fields X ]
| eval name="search_1"
| append [ search index=ABC (log_subtype="GHI" OR log_subtype="JKL") (severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44"
| stats values(D) as D values(E) as E values(A) as A BY X, Y
| eval name="search_2" ]
| stats values(*) as * by X, Y
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @richgalloway for the response. Also, is there any other way other than using append, union or map since using those impacting the search execution time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's start by noticing that you already hurt your performance badly by using wildcards at the beginning of your search term.
Also, you're using a lot of exclusions which are often way way less performant than inclusions.
Anyway, if you have a field or set of fields which distinguishes one of your "partial search" from another, you can use a condition on that field to limit the applicability of your operations to some extent.
Like
| search log_subtype!="DEF" OR (log_subtype="DEF" AND (NOT [ | inputlookup whatever ]))
It's also worth noticing that you're already spawning two subsearches (which again might not be the best possible way - there is another technique - use a lookup directly and check if there was a match).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is the join command, but performance of that is even worse than append. Multisearch would be an option if the searches didn't contain non-streaming commands (stats).
Perhaps someone else will have a suggestion.
If this reply helps you, Karma would be appreciated.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
