Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Matching specific fields in main search with the results from subsearch

spj2
New Member
‎12-02-2013 07:34 PM

I am monitoring a directory with multiple CSV files and indexing these to say an index "ABC". The goal is to extract a field "IP" from this index and match it against multiple fields (src_ip, dst_ip) in different sourcetypes which will be the main search.

I am using the following query:

sourcetype=FW [search index=ABC| rename IP as search | fields search |format]

This query returns events from sourcetype=FW where any field matches "IP" and it's slow. I would like to search the "IP" only in src_ip and dst_ip fields in the FW.

How can I achieve this? Is subsearch the right solution in this case, because the list of "IP" in index "ABC" is going to get longer everyday?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 10:28 PM

I am not sure that this will be better, but try it:

sourcetype=FW [ search index=ABC 
      | dedup IP | eval src_ip=IP | eval dest_ip=IP | fields src_ip dest_ip
      | format "(" "(" "OR" ")" "OR" ")" ]

You don't really need all the parentheses in the format command, but it was hard to read when I substituted spaces instead. And the end result will be the same.

It is only one subsearch instead of two, and it will specify the fields to search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 10:28 PM

I am not sure that this will be better, but try it:

sourcetype=FW [ search index=ABC 
      | dedup IP | eval src_ip=IP | eval dest_ip=IP | fields src_ip dest_ip
      | format "(" "(" "OR" ")" "OR" ")" ]

You don't really need all the parentheses in the format command, but it was hard to read when I substituted spaces instead. And the end result will be the same.

It is only one subsearch instead of two, and it will specify the fields to search.

0 Karma
Reply
Solved! Jump to solution

spj2
New Member
‎12-03-2013 06:31 AM

Thanks somesoni2 and lguinn. Both the solutions worked and took exactly the same amount of time.

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎12-02-2013 10:22 PM

Try This

sourcetype=FW [search index=ABC | stats count by IP | rename IP as src_ip | fields - count] OR [search index=ABC | stats count by IP | rename IP as dst_ip | fields - count]

This will take unique values of IP from index=ABC (stats is the fastest way) then using subsearch a clause will be added as filter "src_ip=". Same is repeated for dst_ip, added as OR clause.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-02-2013 10:19 PM

What is in the CSV files? Do they contain time-stamped events, or are they more like lists or tables of IP addresses?

0 Karma
Reply
Get Updates on the Splunk Community!

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...

Customer Experience | Call for Stories: Your 2023 Journey with Splunk!

Share your Splunk journey: Splunk is committed to supporting our customers toward success. As the year draws ...

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...