Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

subsearch or lookup from search results

stephenreece
New Member
‎08-21-2018 01:54 AM

Morning all,

In short I need to be able to run a CSV lookup search against all my Splunk logs to find all SessionID' s that relate to the unique identifier in my CSV (ID1).....and then use those SessionID's to search again and find a different Unique Identifier (ID2) held in the same logs.

I have no influence in the setup unfortunately... and i need to use the lookup first to isolate the right sessionID's belonging to ID1.

Finding the SessionID's associated with ID1 is fine, but i can't seem to run the search against the session ID's, and table ID2.

(effectively i need to table the results as we needs ID2 for further investigation.

Any thoughts (excuse the poor attempt below).

1st Lookup = * [inputlookup ID1.csv] detail.detail1!="detail1" AND detail.detail2="detail2" AND detail.Body="***" | table date_mday date_month ID1 SessionID

Updated search to include subsearcg (but i don't think it is pulling against the SessionID
* [inputlookup ID1.csv] detail.detail1!="detail1" AND detail.detail2="detail2" AND detail.Body="***" [search * SessionID]
| table date_mday date_month ID1 SessionID

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 01:08 PM

Try something like this...

   index="foo1"   your other search terms not including sessionID or any time references

    [     
    your search that takes the lookup and gets the events with those SessionIDs 
    | fields _time SessionID
    | stats min(_time) as earliest max(_time) as latest by SessionID
    ]

| your search terms that process the events returned.

The search in square braces will equate to a complex test that looks like ....

 (  ( SessionId="value1" AND earliest="lowtime1" AND latest="hightime1" ) OR
    ( SessionId="value2" AND earliest="lowtime2" AND latest="hightime2" ) OR
    ( SessionId="value3" AND earliest="lowtime3" AND latest="hightime3" ) OR
...  )
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...