Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nested subsearches with lookup

Janani_Krish
Path Finder
‎11-01-2021 02:07 AM

I have a query structured like below with main search and sub search where the main search includes lookup,

|inputlookup tci|search tag.name="ap" |rename tag.name as tags|dedup indicator|table indicator confidence rating ownerName tags|union[search sourcetype="cisco:*" action=allowed 
|rename src_ip as indicator|dedup indicator|table indicator confidence rating ownerName tags]|stats count values(confidence) as confidence values(rating) as rating values(ownerName) as ownerName values(tags) as tags by indicator|where count>1|table indicator confidence rating ownerName tags

  I wanted the results of this query to be lookup into one more source type and take out raw data. I have tried the below but it doesn't work,

sourcetype="symantec:*"[|inputlookup tci|search tag.name="ap" |rename tag.name as tags|dedup indicator|table indicator confidence rating ownerName tags|union[search sourcetype="cisco:*" action=allowed 
|rename src_ip as indicator|dedup indicator|table indicator confidence rating ownerName tags]|stats count values(confidence) as confidence values(rating) as rating values(ownerName) as ownerName values(tags) as tags by indicator|where count>1|table indicator confidence rating ownerName tags]|table _raw


Please suggest any alternatives to lookout for source type where we have to derive the result from nested sub searches with lookups.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2021 03:45 AM

Have you tried using format?

sourcetype="symantec:*" [|inputlookup tci|search tag.name="ap" |rename tag.name as tags|dedup indicator|table indicator confidence rating ownerName tags|union[search sourcetype="cisco:*" action=allowed 
|rename src_ip as indicator|dedup indicator|table indicator confidence rating ownerName tags]|stats count values(confidence) as confidence values(rating) as rating values(ownerName) as ownerName values(tags) as tags by indicator|where count>1|table indicator confidence rating ownerName tags | format ]|table _raw
0 Karma
Reply

Janani_Krish
Path Finder
‎11-01-2021 11:38 PM

Hi @ITWhisperer 

Tried using format now. But this as well is not returning any results although our inner sub search is returning results.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...