Splunk Search

subsearch not returning selected field values

scc00
Contributor

I am trying to map a users activity once they've logged into a vdi session to when they log into a specific application. My search is as follows: I have tried using the return, fields + and join commands to make this work. Each search returns values individually but together I get nothing. Thoughts?

Searches:

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

OR

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | return 100 user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

OR

Index=* user=xxx* computer=vdi*| join user max=0 [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

updated to mark code

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This is your first query. The only thing I've changed is to switch from fields to table and then added dedup.

index=* user=xxx* computer=vdi* 
    [ search sourcetype=something user=user1 event="*logged*" 
    | table user, event | dedup user, event] 
| eval hostname=coalesce(computer, host) 
| table _time, user, hostname, event 
| sort 0 - _time

The table command eliminates all fields except the ones listed, whereas the fields command leaves some internal fields like _time, which after it goes through the implicit format command at the end of the subsearch (when it hits the close bracket ]), is going to mess with retrieving the records .

To see the difference, compare the output of these -

    sourcetype=something user=user1 event="*logged*" 
    | fields + user, event 
    | format 

    sourcetype=something user=user1 event="*logged*" 
    | table user, event 
    | format 

Updated to include the asterisks that the interface had removed from OP's search

0 Karma

scc00
Contributor

Unfortunately, neither of these suggestion worked. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login? assuming the VDI login ID for the user may differ from the application user ID?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, I marked your code as code, so the asterisks showed up. I updated my code to include them.

"Did not work" doesn't give us anything to go on. Please be very specific about what does or does not occur. Did the last two samples produce any results? Did the difference make sense to you?

0 Karma

scc00
Contributor

My apologies. I meant the searches came back empty when I run each option you mentioned. If i separate the subsearch from the main search, it returns values but not together.

index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

OR
index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| fields+ user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

0 Karma

scc00
Contributor

Additionally, when I use the join command shown below it only gives me the main search. I need it to do a comparison between the user in the subsearch and pull only corresponding results from the main search specific to that users activities. Sometimes the user may be different from the user within the subsearch.

index=* user=xxx* computer=vdi* | join user type=left [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi scc00,
try something like this

index= user=xxx computer=vdi*
| join user type=left [search sourcetype=something user=user1 event="logged" | fields user event ]
| eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 -_time

Bye.
Giuseppe

0 Karma

scc00
Contributor

Thanks Giuseppe, so this only gives me one side of the data. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...