Splunk Search

Searching over list from subsearch

Path Finder

I don't seem to be able to wrap my head around this search. I have a set of data that uses a unique ID to tie a chain of actions together across multiple events. I want to search through the index, find the IDs from all of the events that match match_criteria1, then return any event in the index that has one of those IDs.

name   ID   other field
------ ---  ----------------
event1  A   match_criteria1
event2  B   match_criteria1
event3  C   match_criteria1
event4  A   something
event5  B   something
event6  D   something else
event7  E   other data
event8  E   other data 2

Should return:

name   ID   other field
------ ---  ----------------
event1  A   match_criteria1
event2  B   match_criteria1
event3  C   match_criteria1
event4  A   something
event5  B   something

Any ideas?

0 Karma

SplunkTrust
SplunkTrust

Try something like this

index=Blah sourcetype=blah [search index=Blah sourcetype=blahh other_field=match_criteria1 | stats count by ID | table ID ] | table name ID other_field

Path Finder

Hmm.. that's exactly what I've seen examples of and tried, but it isn't returning any results. I need to do an eval on the criteria field, perhaps that is messing it up.

If you append a search like that, which is generating a single column table, is it equivalent to
"field=a OR field=b OR field=c"?
- OR -
"a OR b OR c"

0 Karma

SplunkTrust
SplunkTrust

Yes The Subsearch with generate the OR condition like that..
Could you share the query that you tried (and failed), we can see any possible issues with that?

0 Karma