Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

subsearch or lookup from search results

stephenreece
New Member
‎08-21-2018 01:54 AM

Morning all,

In short I need to be able to run a CSV lookup search against all my Splunk logs to find all SessionID' s that relate to the unique identifier in my CSV (ID1).....and then use those SessionID's to search again and find a different Unique Identifier (ID2) held in the same logs.

I have no influence in the setup unfortunately... and i need to use the lookup first to isolate the right sessionID's belonging to ID1.

Finding the SessionID's associated with ID1 is fine, but i can't seem to run the search against the session ID's, and table ID2.

(effectively i need to table the results as we needs ID2 for further investigation.

Any thoughts (excuse the poor attempt below).

1st Lookup = * [inputlookup ID1.csv] detail.detail1!="detail1" AND detail.detail2="detail2" AND detail.Body="***" | table date_mday date_month ID1 SessionID

Updated search to include subsearcg (but i don't think it is pulling against the SessionID
* [inputlookup ID1.csv] detail.detail1!="detail1" AND detail.detail2="detail2" AND detail.Body="***" [search * SessionID]
| table date_mday date_month ID1 SessionID

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 01:08 PM

Try something like this...

   index="foo1"   your other search terms not including sessionID or any time references

    [     
    your search that takes the lookup and gets the events with those SessionIDs 
    | fields _time SessionID
    | stats min(_time) as earliest max(_time) as latest by SessionID
    ]

| your search terms that process the events returned.

The search in square braces will equate to a complex test that looks like ....

 (  ( SessionId="value1" AND earliest="lowtime1" AND latest="hightime1" ) OR
    ( SessionId="value2" AND earliest="lowtime2" AND latest="hightime2" ) OR
    ( SessionId="value3" AND earliest="lowtime3" AND latest="hightime3" ) OR
...  )
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...