- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get the latest of a group
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In all our logs we write out the PID of the unix process. In many cases I just want to look at the latest run of a script. I do this with a query like this
System=Shark [search System=Shark | head 1 | table Pid]
this will get the latest Pid for the system called "Shark" and return only results that contain that Pid. This works very well however it will match anything with that value, not just the Pid field. Eg, in the 2 logs below it will match both logs when I don't want it to match the second. Is there some way to tell it to only match the Pid field to the value calculated from the sub search? I tried Pid=[search...] but it didn't like that.
from latest run of script
System=Shark Message="Wrote some file" Pid=100
from previous run of script:
System=Shark Message="Deleted all files" Pid=99 FileCount=100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The behaviour you want is really the default behaviour. You can run the subsearch on its own and add format at the end to see the exact filter string it emits to the outer search. Like this:
System=Shark | head 1 | table Pid | format
From there you can check how the filter is applied. To me it sounds like your Splunk instance for some reason is extracting other fields as "Pid" as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The behaviour you want is really the default behaviour. You can run the subsearch on its own and add format at the end to see the exact filter string it emits to the outer search. Like this:
System=Shark | head 1 | table Pid | format
From there you can check how the filter is applied. To me it sounds like your Splunk instance for some reason is extracting other fields as "Pid" as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, you just rename the field, easy. System=Shark | head 1 | table Pid | rename Pid as ParentPid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm, you are right, it isn't matching against FileCount=100. For some reason I thought it was. I'd still be interested to know how to specify the field that it does match. Say I wanted to get the latest Pid but then search for all processes where ParentPid is equal to that value, ie the same as "SELECT * FROM TableX WHERE ParentPid = (SELECT TOP 1 Pid FROM TableY)"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
