Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch on completed (finalized) results

JohnB
Explorer
‎09-29-2010 02:40 PM

If I do a search for something such as: uri="/this/or/that.html" over, say, an hour.

Once the search completes (finalizes), is there a way to subsearch on just those results returned without having to rerun the whole thing again?

For instance, I find something interesting from that result set as I am poking through it and now I want to search that result set for cookie="fred". I don't want to have to run the entire search again. You would think that running another search on that result set would make subsequent searches much faster (quicker to resolution).

Is this possible? It doesn't seem to work like that.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-29-2010 10:50 PM

You can "save" your search job (use the "save results" from the actions menu); which includes the first 10,000 events. Then in a subsequent search you can reload that search and filter the results down even more, run some kind chart/stats on the results, or use the results in a subsearch.

Unfortunately, the approach is exactly intuitive, but it can be done using the loadjob searchc command.

Here are some examples:

First run your base search and get the search id? (The sid. You can find this from the job manager, or the job inspector. Sometimes you'll see ?sid=.... at the end of the URL in your browser, that's the number that your looking for.)

For the examples, I'm using a sid from my system, 1285798895.1194.

  1. To pull the results and do additional filtering, you can do a search like this:

    | loadjob 1285798895.1194 | search cookie="fred"

  2. To get stats on the same base search, run:

    | loadjob 1285798895.1194 | stats count, sum(bytes) as total_bytes by cookie | sort -total_bytes

  3. To do a subsearch based on data from your initial search, you could do something like this: (This search looks for errors (5xx series) and then uses that to search the entire access log for the sessions (based on clientip and cookie) so you can see the activity surrounding the error event.

    sourcetype=access_common [ loadjob 1285798895.1194 | search status=5* | fields clientip, cookie ]

Hope that gives you some ideas to play around with.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 03:53 AM

I don't think you mean "subsearch" in the way that Splunk uses the term. But the answer by Lowell is it. Basically, use loadjob. However, you should be aware that the results of previous searches may not include fields that you may expect or need in your subsequent search.

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-29-2010 10:50 PM

You can "save" your search job (use the "save results" from the actions menu); which includes the first 10,000 events. Then in a subsequent search you can reload that search and filter the results down even more, run some kind chart/stats on the results, or use the results in a subsearch.

Unfortunately, the approach is exactly intuitive, but it can be done using the loadjob searchc command.

Here are some examples:

First run your base search and get the search id? (The sid. You can find this from the job manager, or the job inspector. Sometimes you'll see ?sid=.... at the end of the URL in your browser, that's the number that your looking for.)

For the examples, I'm using a sid from my system, 1285798895.1194.

  1. To pull the results and do additional filtering, you can do a search like this:

    | loadjob 1285798895.1194 | search cookie="fred"

  2. To get stats on the same base search, run:

    | loadjob 1285798895.1194 | stats count, sum(bytes) as total_bytes by cookie | sort -total_bytes

  3. To do a subsearch based on data from your initial search, you could do something like this: (This search looks for errors (5xx series) and then uses that to search the entire access log for the sessions (based on clientip and cookie) so you can see the activity surrounding the error event.

    sourcetype=access_common [ loadjob 1285798895.1194 | search status=5* | fields clientip, cookie ]

Hope that gives you some ideas to play around with.

Reply
Solved! Jump to solution

JohnB
Explorer
‎09-30-2010 12:22 PM

It does, however this might be a feature request. 10,000 events isn't a whole lot in some cases, we can have 10,000 events in a web log in just a minute or so. Thanks for the answer!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...