Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using result of one search for another

splunk_new1
Explorer
‎02-03-2021 08:57 PM

Hi all! 

I am relatively new to splunk and I am trying to use the results of one search for another search,

So...

index=index1 <conditions> or index=index2<conditions>
| stats count by src servname
|fields src
|rename src as ip 


Results: 
ip
1.1.1.1 
2.2.2.2
3.3.3.3 
4.4.4.4

in index3, the field is called ip, 

I would like to based off the returned ip list above ^:

index=index3  ip="1.1.1.1" or ip="2.2.2.2" or ip="3.3.3.3" or ip="4.4.4.4" 
|stats count description by ip

But I cant seem to do it, when I make use of format or subsearches like 

index=index3
[ search (index=index1 or index=index2 ... 
]

| stats count description by ip

it seems to return me results of all ips and their description in just index3. The first subsearch results "1.1.1.1" "2.2.2.2" "3.3.3.3" etc does not get parsed into the index3 search as a variable. How can i make this happen? 

*Pardon my explanation if its too lengthy
 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-03-2021 10:00 PM

the 'or' must be in CAPS in your search, otherwise it's just a word, so your subsearch is probably not providing any IP addresses.

If you add 

| format

to the end of the subsearch and run the subsearch on its own, you will see what the return from the subsearch looks like.

Also, your subsearch is doing this

| stats count by src servname
|fields src
|rename src as ip

there is little point in splitting by servname, as you may end up with duplicate ips in the return to the outer search, so remove that.

 

View solution in original post

Reply
Solved! Jump to solution

splunk_new1
Explorer
‎02-04-2021 09:51 AM

Thanks for your response! Yes, I did make use of the OR command. 

What's happening right now is, when I used 

(index=index1 (conditions)) OR (index=index2 (conditions))
| fields src
| rename src as ip
| format



i get the results of ( ( ip="1.1.1.1" ) OR (ip ="2.2.2.2")  etc... just like how I want it. 

If I copy that result and manually perform a 

index= index3  ( ( ip="1.1.1.1" ) OR (ip ="2.2.2.2"))
|stats count description by ip



I am able to properly get the results that I desire. 

The issue now comes when I put everything together and have it automated: 

index= index3 
      [ search (index=index1 (conditions)) OR (index=index2 (conditions))
              | fields src
              | rename src as ip
              | format ]
| stats count description by ip


For some reason the subsearch result from the subsearch index=index1 OR index=index2, the ip values do not get passed to the index3 search. 

When I run the code, I get lots of other ip addresses that are not even generated from the results of the subsearch. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-04-2021 12:55 PM

@splunk_new1 

Firstly in the real subsearch, you don't need format, as that is done automatically by the return from the subsearch, it's just a way to see what the subsearch would do when run on its own.

What data volume is getting returned from the subsearch. You are not aggregating by ip in the subsearch, so you will get duplicate ip=x conditions, one for each row returned. All you really need is the subsearch is

index= index3 
      [ search (index=index1 (conditions)) OR (index=index2 (conditions))
              | stats count by src 
              | rename src as ip 
              | fields ip ]
| stats count by ip

Note: In the about I removed 'description' in the final stats, as your example was not a valid stats command

After you run your current search, have you looked that the 'Job' dropdown tab, to see if there are any notifications about the search? If you have more than 10000 results from your subsearch, you would see a message here.

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-03-2021 10:00 PM

the 'or' must be in CAPS in your search, otherwise it's just a word, so your subsearch is probably not providing any IP addresses.

If you add 

| format

to the end of the subsearch and run the subsearch on its own, you will see what the return from the subsearch looks like.

Also, your subsearch is doing this

| stats count by src servname
|fields src
|rename src as ip

there is little point in splitting by servname, as you may end up with duplicate ips in the return to the outer search, so remove that.

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...