Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Subsearch on completed (finalized) results

JohnB
Explorer
‎09-29-2010 02:40 PM

If I do a search for something such as: uri="/this/or/that.html" over, say, an hour.

Once the search completes (finalizes), is there a way to subsearch on just those results returned without having to rerun the whole thing again?

For instance, I find something interesting from that result set as I am poking through it and now I want to search that result set for cookie="fred". I don't want to have to run the entire search again. You would think that running another search on that result set would make subsequent searches much faster (quicker to resolution).

Is this possible? It doesn't seem to work like that.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-29-2010 10:50 PM

You can "save" your search job (use the "save results" from the actions menu); which includes the first 10,000 events. Then in a subsequent search you can reload that search and filter the results down even more, run some kind chart/stats on the results, or use the results in a subsearch.

Unfortunately, the approach is exactly intuitive, but it can be done using the loadjob searchc command.

Here are some examples:

First run your base search and get the search id? (The sid. You can find this from the job manager, or the job inspector. Sometimes you'll see ?sid=.... at the end of the URL in your browser, that's the number that your looking for.)

For the examples, I'm using a sid from my system, 1285798895.1194.

  1. To pull the results and do additional filtering, you can do a search like this:

    | loadjob 1285798895.1194 | search cookie="fred"

  2. To get stats on the same base search, run:

    | loadjob 1285798895.1194 | stats count, sum(bytes) as total_bytes by cookie | sort -total_bytes

  3. To do a subsearch based on data from your initial search, you could do something like this: (This search looks for errors (5xx series) and then uses that to search the entire access log for the sessions (based on clientip and cookie) so you can see the activity surrounding the error event.

    sourcetype=access_common [ loadjob 1285798895.1194 | search status=5* | fields clientip, cookie ]

Hope that gives you some ideas to play around with.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 03:53 AM

I don't think you mean "subsearch" in the way that Splunk uses the term. But the answer by Lowell is it. Basically, use loadjob. However, you should be aware that the results of previous searches may not include fields that you may expect or need in your subsequent search.

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-29-2010 10:50 PM

You can "save" your search job (use the "save results" from the actions menu); which includes the first 10,000 events. Then in a subsequent search you can reload that search and filter the results down even more, run some kind chart/stats on the results, or use the results in a subsearch.

Unfortunately, the approach is exactly intuitive, but it can be done using the loadjob searchc command.

Here are some examples:

First run your base search and get the search id? (The sid. You can find this from the job manager, or the job inspector. Sometimes you'll see ?sid=.... at the end of the URL in your browser, that's the number that your looking for.)

For the examples, I'm using a sid from my system, 1285798895.1194.

  1. To pull the results and do additional filtering, you can do a search like this:

    | loadjob 1285798895.1194 | search cookie="fred"

  2. To get stats on the same base search, run:

    | loadjob 1285798895.1194 | stats count, sum(bytes) as total_bytes by cookie | sort -total_bytes

  3. To do a subsearch based on data from your initial search, you could do something like this: (This search looks for errors (5xx series) and then uses that to search the entire access log for the sessions (based on clientip and cookie) so you can see the activity surrounding the error event.

    sourcetype=access_common [ loadjob 1285798895.1194 | search status=5* | fields clientip, cookie ]

Hope that gives you some ideas to play around with.

Reply
Solved! Jump to solution

JohnB
Explorer
‎09-30-2010 12:22 PM

It does, however this might be a feature request. 10,000 events isn't a whole lot in some cases, we can have 10,000 events in a web log in just a minute or so. Thanks for the answer!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...