Splunk Search

Output of search to another search

Explorer

I am doing a search which gives me two fields and say parent1 and child1...n so with parent and child I have 1 to n relationship. I want to pass this child value for every parent to next search and want tabular output.

Say something similar to |timechart (child) by parent

Tags (1)

Explorer

Thanks all for the responses, Sorry for providing information in raw format, this is what I am asking:-

Search1:- index=xyz sourcetype="test_notification" (chgs!=modtime AND action!=add OR NOT chgs) | rex field=child mode=sed "s/.*\/toindex\//config_/g" | fields parent,child

Search2:- index="xyz" sourcetype=allconf parent="parent Above from first query" source="child from first query" | dedup 2 source sortby -_time | diff pos1=2 pos2=1

Where first query might return more than one child for each parent.

0 Karma

Splunk Employee
Splunk Employee

But basically, subsearch is what you need, as maverick explained.

0 Karma

Splunk Employee
Splunk Employee

Could you please edit/update your original question to provide this information instead of putting it here as an "answer"? Thanks.

0 Karma

SplunkTrust
SplunkTrust

Seems to me like maybe you just want

<your search> | stats count by parent, child

that will give you rows where each row is a unique combination of parent and child.

Splunk Employee
Splunk Employee

Your description is somewhat vague to me, but I think I understand the overall gist of what you are wanting to do and I'm thinking you may want to take a look at a couple Splunk features (links provided below) to see if one of them works for you.

As mentioned already (in the answer above) the first feature is called sub-search and is used when you want to search your data to get back some preliminary results that you intend to include (pass into) an outer search, essentially.

See this page in our online doc on how sub-search feature works:

http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork

The second feature is merely piping to a search command again to further filter down results obtained from a previous search (i.e. search for parent1 and child1 | search child1> 5 | ..... essentially applying one or more additional conditions AFTER your search results are returned.

See this page for more details on the search command:

http://www.splunk.com/base/Documentation/latest/SearchReference/Search

A third feature you could try is using the stats command with a list function, such that you group your child1..n to your single parent1, like this maybe:

some search terms here to get parent1 and child1...n | stats list(child) by parent

See this page for detail on using stats command and the functions:

http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions

Finally, if all these options fail to get you what you want, you can always create your own custom command to process your search results the way you intend, similar to this:

search to get parent1 and child1...n | mynewsearch | stats values(child) by parent

See these links for details on creating your own custom search command:

1) http://www.splunk.com/base/Documentation/latest/SearchReference/Aboutcustomsearchcommands

2) http://www.splunk.com/base/Documentation/latest/SearchReference/WriteaPythonsearchcommand

3) http://www.splunk.com/base/Documentation/latest/SearchReference/Customsearchshape

Super Champion

I'm not 100% sure I understand what you are trying to accomplish exactly, but there are a few ways to attach different searches together.

If you would post an example or two of each of your parent and child events then a more specific example search could be provided. (Click "edit" under your question and add your examples to your question that way.)

You have a couple of different options:

  1. Use a sub-search In this approach you would use a sub-search to gather distinct values of parent in a sub search, which would end up being added as part of your base search.

    eventtype=child-event [ search eventtype=parent-event | dedup parent_id | fields + parent_id]

  2. Use the map search command. This is similar to the sub-search option except that it allows you to also search on a different time range within the secondary search, so say the child events are always within a 30 minute (before or after) the parent event. You could so something like this:

    eventtype=parent-event | dedup parent_id | eval end_time=relative_time(_time,"+30m@") | eval start_time=relative_time(_time,"-30m@m") | map search="search eventtype=child-event parent_id=$parent_id$ starttimeu=$start_time$ endtimeu=$end_time$"