Splunk Search
Highlighted

subsearch not returning selected field values

Communicator

I am trying to map a users activity once they've logged into a vdi session to when they log into a specific application. My search is as follows: I have tried using the return, fields + and join commands to make this work. Each search returns values individually but together I get nothing. Thoughts?

Searches:

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

OR

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | return 100 user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

OR

Index=* user=xxx* computer=vdi*| join user max=0 [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

updated to mark code

0 Karma
Highlighted

Re: subsearch not returning selected field values

Legend

Hi scc00,
try something like this

index= user=xxx computer=vdi*
| join user type=left [search sourcetype=something user=user1 event="logged" | fields user event ]
| eval hostname=coalesce(computer, host)
| table time, user, hostname, event
| sort 0 -
time

Bye.
Giuseppe

0 Karma
Highlighted

Re: subsearch not returning selected field values

Communicator

Thanks Giuseppe, so this only gives me one side of the data. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login?

0 Karma
Highlighted

Re: subsearch not returning selected field values

SplunkTrust
SplunkTrust

This is your first query. The only thing I've changed is to switch from fields to table and then added dedup.

index=* user=xxx* computer=vdi* 
    [ search sourcetype=something user=user1 event="*logged*" 
    | table user, event | dedup user, event] 
| eval hostname=coalesce(computer, host) 
| table _time, user, hostname, event 
| sort 0 - _time

The table command eliminates all fields except the ones listed, whereas the fields command leaves some internal fields like _time, which after it goes through the implicit format command at the end of the subsearch (when it hits the close bracket ]), is going to mess with retrieving the records .

To see the difference, compare the output of these -

    sourcetype=something user=user1 event="*logged*" 
    | fields + user, event 
    | format 

    sourcetype=something user=user1 event="*logged*" 
    | table user, event 
    | format 

Updated to include the asterisks that the interface had removed from OP's search

0 Karma
Highlighted

Re: subsearch not returning selected field values

Communicator

Unfortunately, neither of these suggestion worked. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login? assuming the VDI login ID for the user may differ from the application user ID?

0 Karma
Highlighted

Re: subsearch not returning selected field values

SplunkTrust
SplunkTrust

Okay, I marked your code as code, so the asterisks showed up. I updated my code to include them.

"Did not work" doesn't give us anything to go on. Please be very specific about what does or does not occur. Did the last two samples produce any results? Did the difference make sense to you?

0 Karma
Highlighted

Re: subsearch not returning selected field values

Communicator

My apologies. I meant the searches came back empty when I run each option you mentioned. If i separate the subsearch from the main search, it returns values but not together.

index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

OR
index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| fields+ user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

0 Karma
Highlighted

Re: subsearch not returning selected field values

Communicator

Additionally, when I use the join command shown below it only gives me the main search. I need it to do a comparison between the user in the subsearch and pull only corresponding results from the main search specific to that users activities. Sometimes the user may be different from the user within the subsearch.

index=* user=xxx* computer=vdi* | join user type=left [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

0 Karma