Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using a result from a subsearch as

neonmonarch
Engager
‎02-25-2014 02:38 PM

Hi all,

I've been searching for the last day or so trying to find an answer, but unable to find one. I think I maybe on the incorrect path. Apologies in advance for the newbie question.

I am trying to write a query that will search the index that to find what a destination IP address is in syslog as a subsearch, and then take that result and use it as a filter to search on the source IP. This is to correlate the top talkers that are listed as a dst and then find those IP's that are returning as a source.

I've been trying:

index=daily scrip="$dstip" [search index=daily remark=internet dstip="*"]

This search runs, I get a subsearch message that it has reached it's limit of 10000, but I get 0 matching events.

Help me Splunk answers, you're my only hope.

Tags (2)
Reply

Ayn
Legend
‎02-25-2014 02:47 PM

The problem here is likely that you don't filter out which fields the subsearch should evaluate when returning its results to the main search.

By default, subsearch will take all fields in the final output of the search and create AND:ed filter conditions out of them. So for instance if you have one event with fieldA="1" and fieldB="2", and another with fieldA="A" and fieldB="B", the subsearch will create a filter looking something like this out of it:

(((fieldA="1") AND (fieldB="1")) OR ((fieldA="A") AND (fieldB="B")))

But in practice, events don't just carry just a few fields like this - they also always have index, sourcetype, source, host, probably date_hour, date_wday and so on. Unless you filter out these before the end of subsearch, the values for ALL these will be included in the type of filter string shown above. You can have a look yourself at exactly what the subsearch will actually emit to the outer search by running the subsearch on its own and add "| format" at the end (this is actually what the subsearch does implicitly).

index=daily remark=internet dstip="*" | format

The cure is to choose which fields should be evaluated using the fields command, so that only the fields that should be included in the filter string are there. I also threw "top" in there below so you only get the 100 unique top talkers. Adjust as you see fit.

index=daily [search index=daily remark=internet dstip="*" | top 100 dstip | fields dstip]
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2014 02:43 PM

You need to tell the subsearch what fields you want to return to your outer search like this:

index=daily [search index=daily remark=internet dstip="*" | fields dstip | dedup dstip | rename dstip as srcip]

The subsearch will evaluate to an OR'd list of (srcip="value") pairs.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...