Splunk Search

Running subsearch to verify results

dreadangel
Path Finder

I'm attempting to remove some elements from a search. After reading some answers, next was born:

index=domain_ctrl_nmb* NOT 
    [ search index=servers_list 
    | dedup host_name 
    | fields host_name
    | rename user as host 
    | table host ] 
| where (match(host, "^[a-zA-Z]{1}[a-zA-Z0-9-._]{1,30}$")) 
| dedup host 
| table host

domain_ctrl_nmb* - it means that there are indexes domain_ctrl_nmb001 , domain_ctrl_nmb002, domain_ctrl_nmb003...
search seems pretty obvious, but, in order to verify the result, I've run the subsearch independently and compared its results with the main search and found out there are some common values.
Am I doing the search correct?

0 Karma
1 Solution

FrankVl
Ultra Champion

Looking at this, I think you could also do it without multi search:

index=domain_ctrl_nmb* OR index=servers_list
| eval host_name=if(index=servers_list,upper(user),upper(src))
| where (match(host_name, "^[a-zA-Z]{1}[a-zA-Z0-9-._]{1,30}$"))
| fields host_name index
| table host_name index
| dedup host_name index
| eventstats c(host_name) as cnt by host_name
| search cnt = 1 and (index="domain_ctrl_nmb*")

View solution in original post

FrankVl
Ultra Champion

Looking at this, I think you could also do it without multi search:

index=domain_ctrl_nmb* OR index=servers_list
| eval host_name=if(index=servers_list,upper(user),upper(src))
| where (match(host_name, "^[a-zA-Z]{1}[a-zA-Z0-9-._]{1,30}$"))
| fields host_name index
| table host_name index
| dedup host_name index
| eventstats c(host_name) as cnt by host_name
| search cnt = 1 and (index="domain_ctrl_nmb*")

dreadangel
Path Finder

could you please move your comment as answer - it solutions my question, thank you!

0 Karma

FrankVl
Ultra Champion

done 🙂

Good to hear it helped 🙂

dreadangel
Path Finder

Oh, good tip - I'll try this

0 Karma

dreadangel
Path Finder

Seems that I misunderstand append capabilities so here is my solution using multisearch :

| multisearch 
    [ search index=domain_ctrl_nmb* 
    | eval host_name=upper(src) 
    | where (match(host_name, "^[a-zA-Z]{1}[a-zA-Z0-9-._]{1,30}$")) 
    | eval list="dc" 
    | fields host_name list ] 
    [ search index=servers_list 
    | eval host_name=upper(user) 
    | where (match(host_name, "^[a-zA-Z]{1}[a-zA-Z0-9-._]{1,30}$")) 
    | eval list="umb" 
    | fields host_name list] 
| table host_name list
| dedup host_name list
| eventstats c(host_name) as cnt by host_name
| where cnt = 1 and (list="dc")

Your opinion?

P/S Gosh, splunk is gorgeous!!!

0 Karma

FrankVl
Ultra Champion

The problem is in the following part of your subsearch:

| fields host_name
| rename user as host 
| table host

No clue why you all of a sudden use the user field there, but that doesn't exist of course. I guess you meant to do:

| fields host_name
| rename host_name as host 
| table host

Oh and if you are indeed running into subsearch time constraints, you might want to consider storing the server list into a lookup or summary index periodically, so you don't have to plow through some 'real' index just to find a list of servers. Or ensure the server name ends up in the host field in that index, sou you could do a much more performant |tstats count where index=servers_list by host | table host.

0 Karma

dreadangel
Path Finder

yeah - that's my typo - sorry for that - see my previous answer...

0 Karma

FrankVl
Ultra Champion

See my addendum for info regarding running into time constraints for the subsearch 🙂

dreadangel
Path Finder

My bosses doesn't like the ideea to use lookup, so I'm tied in this direction - anyway, thanks for the tip

0 Karma

dreadangel
Path Finder

Seems that I failed in subsearch limitations - my subsearch runs more that 60sec, so in "main" search it's not run till all results are achieved.
I'll dig in multisearch direction.

0 Karma

riddhichandaran
Explorer

Hii @dreadangel
To verify the result of your search yes, you can run the subsearch in other tab and check the result with your main search

You have written that you find some common values when you compare the result but as you mentioned "NOT" in your main search, your main search will not contain the result of subsearch

Here I am showing you the example for the same

index="_internal" NOT [search index="_internal" sourcetype="splunkd" ] | dedup sourcetype | table sourcetype

This will return data from all sourcetypes of "_internal" except the "splunkd"

Hope this helps!!

dreadangel
Path Finder

Let meclarify the goal - I need the list of those hosts, which are present in domain_ctrl_nmb* indexes, but not in servers_list index. In order to achieve that I've used the upper SPL.
But in order to be 100% sure, I've compared the result of this "main" search with subsearch results and found out that "main" search contains values that are present in subsearch result - I can conclude that the SPL expression doesn't work.

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...