Splunk Search

Subsearch in SPLUNK with the name of index

SplunkDash
Motivator

Hello, 

I have a use case to get the index name from the field of one of the index/sourcetype and use that index name value to search the content of that index, but not getting any result. Here is what I did:

index =meta_info sourcetype=meta:info| search group_name=admingr AND spIndex_name=admin_audit

| eval getIndex=spIndex_name
| search index=getIndex

Any help will be highly appreciated, thank you!

 

Labels (1)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The you should use the index with list of indexes to search as the subsearch, i.e. put your meta search in the subsearch and it will return the index you want.

[ 
  | search index=meta_info sourcetype=meta:info
  | search group_name=admingr AND spIndex_name=admin_audit
  | rename spIndex_name as index
  | fields index
]

In the form above, it's totally hard coded, but I assume the spIndex_name= statement is variable.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Your search is a little odd - it seems you just want to search index=admin_audit - so what's the purpose of the index=meta_info part 

what's wrong with just

index=admin_audit

 

SplunkDash
Motivator

@bowesmana @richgalloway;,

We have an index that contains the list of index names; so, one search is going to get the index name from that index; other search is going to search the events (or get the events) within that index. A very interesting use case. But customer wants it. 

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

The you should use the index with list of indexes to search as the subsearch, i.e. put your meta search in the subsearch and it will return the index you want.

[ 
  | search index=meta_info sourcetype=meta:info
  | search group_name=admingr AND spIndex_name=admin_audit
  | rename spIndex_name as index
  | fields index
]

In the form above, it's totally hard coded, but I assume the spIndex_name= statement is variable.

 

richgalloway
SplunkTrust
SplunkTrust

The search command doesn't handle field names on both sides of the equals sign.  Use where, instead.

index =meta_info sourcetype=meta:info| search group_name=admingr AND spIndex_name=admin_audit
| eval getIndex=spIndex_name
| where index=getIndex

 

---
If this reply helps you, Karma would be appreciated.

SplunkDash
Motivator

Hey @richgalloway

Thank you for your quick response. But it's not working, not getting any result. Just to let you know  spIndex_name is the name of the index and also eval value getIndex is not returning the index name admin_audit.

Tags (1)
0 Karma

SplunkDash
Motivator

Hello @richgalloway 

getIndex should should return value admin_audit from the eval; search at the end should return the content/events  of the index admin_audit

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...