Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use the result from first search into second search to obtain correlated result from both searches

dineshp
Explorer
‎04-09-2015 09:01 PM

I have a scenario like this:
Login logs are created when users ( both admin and normal) logs in the website with a valid username. - upon successful authentication a session ID is provided. - at this stage the log has both sessionid and username in the same log.
The admin username lands on a page that starts with "/admin//". The normal user lands on page "/user/*" - but at this stage the log wont have username but still has the sessionid.

Now my goal is to search for all admin users (i.e. those who hit "/admin//"), and list the username, sessionid in the same place.

I have done something like this:

index=weblogs "/admin//" | table sessionid | dedup sessionid | rename sessionid to id append [search id | table id, username]

Not sure, if i am doing it right in the latter search. Any help will be appreciated, thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-10-2015 12:41 AM

When you do a subseach, it will be evaluated first and the results of this search are used as arguments for the main search. See http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

If I understood you correctly, you only have one log, but you don't always have a username to go with your sessionid (only once per login). Assuming your ids are unique, why don't you search for when your log has both username and sessionid? I'm thinking of something like
index = weblogs "/admin//" username=* sessionid=* | dedup sessionid | table sessionid, username

See if this does what you need.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-10-2015 12:41 AM

When you do a subseach, it will be evaluated first and the results of this search are used as arguments for the main search. See http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

If I understood you correctly, you only have one log, but you don't always have a username to go with your sessionid (only once per login). Assuming your ids are unique, why don't you search for when your log has both username and sessionid? I'm thinking of something like
index = weblogs "/admin//" username=* sessionid=* | dedup sessionid | table sessionid, username

See if this does what you need.

0 Karma
Reply
Solved! Jump to solution

dineshp
Explorer
‎04-10-2015 03:52 AM

Thank you for highlighting that the subsearch gets evaluated first, i will try and flip the query.
I know what you mean; but no it wont work that way..
when you run this query: index = weblogs "/admin//" ---- it filters out the log that has username in it. So, the remaining logs (that has "/admin//") only has sessionid not username.

May be this will work,
index=weblogs id | table id, username | append [ search index=weblogs "/admin//" | table sessionid | dedup sessionid | rename sessionid to id]

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-10-2015 05:09 AM

You might want to have a look at format: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Format
This will allow you to use a subsearch which produces a list of sessionid that you can directly use as arguments to your main search. When you try the subsearch as a standalone search, you'll see what I mean.
index = weblogs [search index = weblogs "/admin//" | table sessionid | dedup sessionid | format] | table sessionid, username

This subsearch should give you the sessionid for your "admin" logons, which combined with your full search enable you to correlate them with your username information. I'm not sure this is the best option available, though.

0 Karma
Reply
Solved! Jump to solution

dineshp
Explorer
‎04-12-2015 03:12 PM

Yup.. This worked, Thank you so much.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...