Splunk Search

Question regarding my search string

Justin1224
Communicator

Hi, here is my search string:
| rest splunk_server=local count=0 /services/alerts/correlationsearches | fields title | join type=outer title [| rest splunk_server=local count=0 /services/saved/searches | fields title | eval savedsearch_title=title] | where isnull(savedsearch_title) AND title!="Manual Notable Event - Rule"

Hi, I have a few questions regarding my search
-What does the rest command do here?
- Is splunk_server=local count=0 filtering to only search for events where splunk_server = local and count=0?
- What does /services/alerts/correlationsearches do?
- What does fields title do?
- I know that join combines the results of a subsearch with those of a search from reading the Splunk page on it but how does it do that? And what is it doing in the search I have?
-What's the last command doing?

Thank you very much, any help will be appreciated!

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The rest command invokes the Splunk REST API. See http://docs.splunk.com/Documentation/Splunk/6.4.3/RESTUM/RESTusing and http://docs.splunk.com/Documentation/Splunk/6.4.3/RESTREF/RESTprolog.
The fields command passes only the 'title' field to subsequent commands.
The join command behaves much like the SQL command of the same name.
The where command filters the results so only those with a null 'savedsearch_title' field and the given title will be returned.

---
If this reply helps you, Karma would be appreciated.

inventsekar
Ultra Champion

+1, Richgalloway, Sir. Good one, as usual.

0 Karma

Justin1224
Communicator

Thank you for your help.

I have no experience with SQL. I've read the Splunk rest documentation but I still don't understand it. And does a null field mean that the field is empty?

Thanks again!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Joins combine data from two searches into a single data set. Rows from each search are matched up using the field specified ('title') in your example. Each row from the left side will have the fields from the right side added to it. In an outer join, rows that don't match the other side are still included in the results, but have null fields in their place.

---
If this reply helps you, Karma would be appreciated.

Justin1224
Communicator

Hey could you help me a bit more with what rest does? I still don't fully understand it and I've read the documentation on it.

Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The rest command makes use of Splunk RESTful API. The API is a way for programs to send commands to Splunk to create and run searches/reports or manage the Splunk system. Some API commands replicate what you can do in the GUI while other commands offer features not available in the GUI.

Data returned by the rest command can be parsed into fields and processed like any other event data.

---
If this reply helps you, Karma would be appreciated.

Justin1224
Communicator

What is the /services/alerts/correlationsearches part of the search doing? From the documentation online it seems like it's specifying a location but I'm not sure

Also, what is the: splunk_server=local part, doing? On the Splunk website, it says, " Specifies the distributed search peer from which to return results. Use local to refer to the search head. So this search is referring to the search head, but what does that mean?

Thank you for your help

0 Karma

inventsekar
Ultra Champion

Yes, a null field means an empty field.

Rest ... Let's understand/assume this is a simple splunk command which reports some data/events out of splunk. The format and fields are fixed, we will need to choose/edit/modify the fields as required.

Justin1224
Communicator

I really appreciate the help, I'm still not understanding what rest is doing, however. Could you provide a little more clarification on that please? Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...