Splunk Search

What is the best way to filter events from a search without running the search again?

LCM_BRogerson
Path Finder

I’m looking for a way to run a search on the results of a previous search. Subsearch won't work because I don't know what the second search will be until I get the results of the first.

The situation I keep finding myself in is after running a search that takes a long time and returns many events, I find a key/value that I want to use to narrow down the results to a smaller set. I.E. a search that returns all traffic logs and evaluates for the IPs with the highest bandwidth. Then I could want to filter that to workstation subnets and still evaluate for the highest bandwidth. And then search for all traffic from the top N workstations and evaluate for the highest bandwidth destination or service. Or go back to the original search and filter that to server subnets.
Instead of adding each new filter to the original search running it again and waiting, I’d like to search through the events that were first returned, drastically reducing the time it would take to run.

I’ve looked at the loadjob command but that has a limit of 25,000 events.

I've looked at the sitop command but that limits the second search to just a top. As far as I know top is limited to a count of events by field and I'm looking for more than just the count. In the example above I would need to make a summary of the sum of bandwidth.

Is there a way to save ALL of the results of a search and then run a search and/or transformation on those results?

I appreciate any advice you could give.

-BR

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi LCM_BRogerson,
if your search results don't be modified too often, you could run it periodically (e.g. every night or every hour depending by its updating frequency) and store results in a summary or in a tsidx file and then use this saves results as a base for your detail searches.
See http://docs.splunk.com/Documentation/Splunk/6.5.0/Report/Acceleratereports.
Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi LCM_BRogerson,
if your search results don't be modified too often, you could run it periodically (e.g. every night or every hour depending by its updating frequency) and store results in a summary or in a tsidx file and then use this saves results as a base for your detail searches.
See http://docs.splunk.com/Documentation/Splunk/6.5.0/Report/Acceleratereports.
Bye.
Giuseppe

LCM_BRogerson
Path Finder

Hi Giuseppe,

Thank you for your reply. I did end up using the report acceleration method, as the the initial search doesn't change very often, and will then use the results of that to define a more filtered search. I haven't looked at the summary indexing yet but that does appear to be the best solution to my problem.

Thanks,
-BR

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can run your main search, which whatever format/fields that you need and store it in summary index. You can store any query results to summary index, not only the si command like sitop/sistats and later query from the summary index.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Usesummaryindexing

rsennett_splunk
Splunk Employee
Splunk Employee

It sounds like you are actually looking for something like event sampling since what you're really talking about is a quick way to truly understand the data before you invest the time in doing a search over the whole amount.

https://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Retrieveasamplesetofevents

another tool would be the pattern tab. That would show you collections of like data that could indicate things you want to include or exclude in your eventual search:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Identifyeventpatterns

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

LCM_BRogerson
Path Finder

Hi rsennett,

Thanks for your reply.
At the time I decided up using an accelerated report and take the results of that to further filter a new search. That was because I wanted to see a full summary of the original search, not a statistical summary.

Your idea of event sampling does work for getting a good idea of the data without having to to build a report, wait for the acceleration to run (and use up the extra disk space).

Thanks,
BR

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...