Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch on completed (finalized) results

JohnB
Explorer
‎09-29-2010 02:40 PM

If I do a search for something such as: uri="/this/or/that.html" over, say, an hour.

Once the search completes (finalizes), is there a way to subsearch on just those results returned without having to rerun the whole thing again?

For instance, I find something interesting from that result set as I am poking through it and now I want to search that result set for cookie="fred". I don't want to have to run the entire search again. You would think that running another search on that result set would make subsequent searches much faster (quicker to resolution).

Is this possible? It doesn't seem to work like that.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-29-2010 10:50 PM

You can "save" your search job (use the "save results" from the actions menu); which includes the first 10,000 events. Then in a subsequent search you can reload that search and filter the results down even more, run some kind chart/stats on the results, or use the results in a subsearch.

Unfortunately, the approach is exactly intuitive, but it can be done using the loadjob searchc command.

Here are some examples:

First run your base search and get the search id? (The sid. You can find this from the job manager, or the job inspector. Sometimes you'll see ?sid=.... at the end of the URL in your browser, that's the number that your looking for.)

For the examples, I'm using a sid from my system, 1285798895.1194.

  1. To pull the results and do additional filtering, you can do a search like this:

    | loadjob 1285798895.1194 | search cookie="fred"

  2. To get stats on the same base search, run:

    | loadjob 1285798895.1194 | stats count, sum(bytes) as total_bytes by cookie | sort -total_bytes

  3. To do a subsearch based on data from your initial search, you could do something like this: (This search looks for errors (5xx series) and then uses that to search the entire access log for the sessions (based on clientip and cookie) so you can see the activity surrounding the error event.

    sourcetype=access_common [ loadjob 1285798895.1194 | search status=5* | fields clientip, cookie ]

Hope that gives you some ideas to play around with.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 03:53 AM

I don't think you mean "subsearch" in the way that Splunk uses the term. But the answer by Lowell is it. Basically, use loadjob. However, you should be aware that the results of previous searches may not include fields that you may expect or need in your subsequent search.

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-29-2010 10:50 PM

You can "save" your search job (use the "save results" from the actions menu); which includes the first 10,000 events. Then in a subsequent search you can reload that search and filter the results down even more, run some kind chart/stats on the results, or use the results in a subsearch.

Unfortunately, the approach is exactly intuitive, but it can be done using the loadjob searchc command.

Here are some examples:

First run your base search and get the search id? (The sid. You can find this from the job manager, or the job inspector. Sometimes you'll see ?sid=.... at the end of the URL in your browser, that's the number that your looking for.)

For the examples, I'm using a sid from my system, 1285798895.1194.

  1. To pull the results and do additional filtering, you can do a search like this:

    | loadjob 1285798895.1194 | search cookie="fred"

  2. To get stats on the same base search, run:

    | loadjob 1285798895.1194 | stats count, sum(bytes) as total_bytes by cookie | sort -total_bytes

  3. To do a subsearch based on data from your initial search, you could do something like this: (This search looks for errors (5xx series) and then uses that to search the entire access log for the sessions (based on clientip and cookie) so you can see the activity surrounding the error event.

    sourcetype=access_common [ loadjob 1285798895.1194 | search status=5* | fields clientip, cookie ]

Hope that gives you some ideas to play around with.

Reply
Solved! Jump to solution

JohnB
Explorer
‎09-30-2010 12:22 PM

It does, however this might be a feature request. 10,000 events isn't a whole lot in some cases, we can have 10,000 events in a web log in just a minute or so. Thanks for the answer!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...