Splunk Search

Search for A then use all of A and search for B

tb582
Explorer

I'm looking to find everything that has the string "Task Failed". I want splunk to get the task_id and then use all those task_id's for another search which looks for different strings but only ones that also have the ID's it found in the initial search.

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

I think a subsearch would do the trick for you;

Assuming that you have sourcetype_A containing the task_id's you look for, and sourcetype_B is where you want to search for different_string where the task_id matches.

sourcetype=sourcetype_B different_string=* [search sourcetype_A "Task failed" | fields + task_id]

the subsearch finds all events with "Task failed", and returns;

task_id=X OR task_id=Y OR task_id=Z

i.e. all task_id's found, and they are passed as parameters to the outer search.

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

Hope this helps,

Kristian

0 Karma

kristian_kolb
Ultra Champion

Thank you for that pointer gkanapathy. Seems much simpler to use 'return'... hadn't really looked at it.

tb582, did you get the search to work the way you wanted?

/k

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

then just use the same sourcetype name in both places. however, i would recommend using instead of fields, the new return command, as return 10000 task_id. This basically combines fields with dedup, and makes explicit the number of task_ids max that will be considered.

tb582
Explorer

its the same source type

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...