Splunk Search

Subsearch input

ccsfdave
Builder

Greetings,

I am working with IronPort logs and oddly the mailto and mailfrom fields are not in the same records. So what I am looking to do is create a search similar to:

index=email sourcetype=ironport mailto=%form_var% 

which will result in a fields that I can use (icid) to then find the mailfrom field. So I am thinking about a subsearch like:

index=email sourcetype=ironport icid=<number from first search>

So I am wondering two things:

  1. what is the general subsearch layout I would use keeping in mind that the mailto will be furnished by the end user in a form?
  2. Can I pass a bunch of icid's e.g. if I allowed the user to search over a week of emails?

I would like a table of date mailto mailfrom as a very end result.

Thanks for the guidance!

Dave

Tags (2)
0 Karma
1 Solution

aweitzman
Motivator

Your layout would look like this:

index=email sourcetype=ironport [search index=email sourcetype=ironport mailto=%form_var% | table icid]

Your subsearch ends up giving you a clause that looks like (icid=1 OR icid=2 OR...) based on the results of that search. This gets applied to your main search, and you get the results you're looking for.

View solution in original post

0 Karma

aweitzman
Motivator

Your layout would look like this:

index=email sourcetype=ironport [search index=email sourcetype=ironport mailto=%form_var% | table icid]

Your subsearch ends up giving you a clause that looks like (icid=1 OR icid=2 OR...) based on the results of that search. This gets applied to your main search, and you get the results you're looking for.

0 Karma

ccsfdave
Builder

I was dubious that this would do it, but in fact it does. Thanks so much!

0 Karma