Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Moving fields from a subsearch

balcv
Contributor
‎10-04-2023 09:39 PM

I have a search and subsearch that is working as required but there is a field in the subsearch that I want to display in the final table output but is not a field to be searched on.

index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*"
| eval stuff=split(message," ") 
| eval mac=mvindex(stuff,4) 
| eval mac=substr(mac,1,17) 
| eval denyListAction=mvindex(stuff,3) 
| eval denyListAction= replace (denyListAction,":","") 
| eval reason=mvindex(stuff,5,6) | search mac="*:*"
    [ search index=main host=thestor Username="*adgunn*" 
    | dedup Client_Mac
    | eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*"
    | rename Client_Mac AS mac
    | fields mac ]
| dedup mac,denyListAction,reason
| table _time,mac,denyListAction,reason

What I want is for the value held in field Username to be included in the table command of the outer search.  How do I pass it from the subsearch to be used in the table command and not used as part of the search?

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-07-2023 06:52 PM

The most common way to handle this is to use append instead.  The following example uses eventstats.

index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*"
| eval stuff=split(message," ") 
| eval mac=mvindex(stuff,4) 
| eval mac=substr(mac,1,17) 
| eval denyListAction=mvindex(stuff,3) 
| eval denyListAction= replace (denyListAction,":","") 
| eval reason=mvindex(stuff,5,6)
| dedup mac,denyListAction,reason
| append
    [ search index=main host=thestor Username="*adgunn*" 
    | dedup Client_Mac
    | eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*"
    | rename Client_Mac AS mac
    | fields mac Username ]
| eventstats values(UserName) as UserName by mac
| where isnotnull(UserName)
| table _time,mac,denyListAction,reason,UserName

 

View solution in original post

Reply
Solved! Jump to solution

balcv
Contributor
‎10-05-2023 02:50 PM

Thanks @bowesmana .  I had a fleeing it was not going to be as easy as I had hoped.
I'm rethinking my approach to see if I can find a way to achieve what I need.
Thanks again.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-07-2023 06:52 PM

The most common way to handle this is to use append instead.  The following example uses eventstats.

index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*"
| eval stuff=split(message," ") 
| eval mac=mvindex(stuff,4) 
| eval mac=substr(mac,1,17) 
| eval denyListAction=mvindex(stuff,3) 
| eval denyListAction= replace (denyListAction,":","") 
| eval reason=mvindex(stuff,5,6)
| dedup mac,denyListAction,reason
| append
    [ search index=main host=thestor Username="*adgunn*" 
    | dedup Client_Mac
    | eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*"
    | rename Client_Mac AS mac
    | fields mac Username ]
| eventstats values(UserName) as UserName by mac
| where isnotnull(UserName)
| table _time,mac,denyListAction,reason,UserName

 

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2023 10:22 PM

You would either have to include that subsearch part as an OR in the outer search and munge the data so you could join the data sets with stats somehow, or create a lookup through a saved search on a regular basis (if it changes) and use the lookup to filter rather than the subsearch, then you'd have anything you need

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...