Re: Not another Subsearch Question! Take values f...

lennys26 · ‎07-20-2017

I am trying to figure out how to find all log events related to a specific linux PID based on a reduced set of hosts (obtained from a search for 'valueB').

Using the below search, I can get the PIDs and the hosts in which they live.

index=<myindex> sourcetype=<mysourcetype> valueB | table host, PID, valueB | dedup PID, valueB

This will return me a simple list of the PIDs for events related to 'valueB' and the hosts. I now want to take this list and search for all events for those PIDs in the hosts (where 'valueB' may or may not actually be present within the log line).

For example, using the below event lines:
1. hostA PID: 10000 foo
2. hostB PID: 20000 foo
3. hostA PID: 10000
4. hostB PID: 20000
5. hostC PID: 10000
6. hostC PID: 30000 foo

Knowing 'foo', my end goal is to return the events 1, 2, 3, 4 and NOT 5 or 6.

This is a subsearch (or a join) but I cant seem to get it to work.

Any thoughts?

woodcock · ‎07-23-2017

Like this:

index=yourIndexHere sourcetype=yourSourcetypeHere [search index=yourIndexHere sourcetype=yourSourcetypeHere id=yourIDhere | dedup host PID | table host PID ]

DalJeanis · ‎07-20-2017

Okay, it looks like each host may have multiple PIDS. For each host, for any PID that has a foo, you want all the records.

So, this subsearch, with its implicit format command

 [index=<myindex> sourcetype=<mysourcetype> "foo" | stats by host PID]

...effectively turns into this search term

 ((host=hostA AND PID=10000) OR (host=hostB AND PID=20000) OR (host=hostC AND PID=30000) )

... therefore this search ...

index=<myindex> sourcetype=<mysourcetype> 
    [index=<myindex> sourcetype=<mysourcetype> "foo" | stats by host PID]
| table host PID WhateverFieldIsFoo

... should get you records 1-4 and 6 but not 5.

DalJeanis · ‎07-20-2017

why not 6? It has a foo!

DalJeanis · ‎07-23-2017

@lennys26 - still waiting to understand how we are supposed to know not to put out hostc?

woodcock · ‎07-20-2017

Like this:

  index=<myindex> sourcetype=<mysourcetype> [search index=<myindex> sourcetype=<mysourcetype> valueB | stats values(PID) AS PID]

lennys26 · ‎07-21-2017

Hi woodcock. That is along the lines of what I was thinking however it seems to be pulling events that match PID but not restricting to the hosts that I want (example #5 above). Let me make sure I am explaining clearly (I suspect I didnt').

All events will fall into one of the below :

contain: host, pid
contain: host, id
contain: host, pid and id

I have a call in my network which is identified with an id. For each host, the 'id' has a direct relationship with a specific 'pid'. Using the 'id' to search with, I want to be able to pull up the events on those hosts (where the 'id' exists) with the related 'pid'.

Given:
| host | pid | id |
| svr1 | 1000 | aa |
| svr2 | 2000 | aa |

I want to return the events where the pid is 1000 on svr1 and 2000 on svr2

woodcock · ‎07-22-2017

My bad; see @DalJeanis

Not another Subsearch Question! Take values from one search and feed it to another

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation