I've been searching for the last day or so trying to find an answer, but unable to find one. I think I maybe on the incorrect path. Apologies in advance for the newbie question.
I am trying to write a query that will search the index that to find what a destination IP address is in syslog as a subsearch, and then take that result and use it as a filter to search on the source IP. This is to correlate the top talkers that are listed as a dst and then find those IP's that are returning as a source.
I've been trying:
index=daily scrip="$dstip" [search index=daily remark=internet dstip="*"]
This search runs, I get a subsearch message that it has reached it's limit of 10000, but I get 0 matching events.
Help me Splunk answers, you're my only hope.
You need to tell the subsearch what fields you want to return to your outer search like this:
index=daily [search index=daily remark=internet dstip="*" | fields dstip | dedup dstip | rename dstip as srcip]
The subsearch will evaluate to an OR'd list of
The problem here is likely that you don't filter out which fields the subsearch should evaluate when returning its results to the main search.
By default, subsearch will take all fields in the final output of the search and create AND:ed filter conditions out of them. So for instance if you have one event with fieldA="1" and fieldB="2", and another with fieldA="A" and fieldB="B", the subsearch will create a filter looking something like this out of it:
(((fieldA="1") AND (fieldB="1")) OR ((fieldA="A") AND (fieldB="B")))
But in practice, events don't just carry just a few fields like this - they also always have index, sourcetype, source, host, probably datehour, datewday and so on. Unless you filter out these before the end of subsearch, the values for ALL these will be included in the type of filter string shown above. You can have a look yourself at exactly what the subsearch will actually emit to the outer search by running the subsearch on its own and add "
| format" at the end (this is actually what the subsearch does implicitly).
index=daily remark=internet dstip="*" | format
The cure is to choose which fields should be evaluated using the
fields command, so that only the fields that should be included in the filter string are there. I also threw "top" in there below so you only get the 100 unique top talkers. Adjust as you see fit.
index=daily [search index=daily remark=internet dstip="*" | top 100 dstip | fields dstip]