Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using result of one search for another

splunk_new1
Explorer
‎02-03-2021 08:57 PM

Hi all! 

I am relatively new to splunk and I am trying to use the results of one search for another search,

So...

index=index1 <conditions> or index=index2<conditions>
| stats count by src servname
|fields src
|rename src as ip 


Results: 
ip
1.1.1.1 
2.2.2.2
3.3.3.3 
4.4.4.4

in index3, the field is called ip, 

I would like to based off the returned ip list above ^:

index=index3  ip="1.1.1.1" or ip="2.2.2.2" or ip="3.3.3.3" or ip="4.4.4.4" 
|stats count description by ip

But I cant seem to do it, when I make use of format or subsearches like 

index=index3
[ search (index=index1 or index=index2 ... 
]

| stats count description by ip

it seems to return me results of all ips and their description in just index3. The first subsearch results "1.1.1.1" "2.2.2.2" "3.3.3.3" etc does not get parsed into the index3 search as a variable. How can i make this happen? 

*Pardon my explanation if its too lengthy
 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-03-2021 10:00 PM

the 'or' must be in CAPS in your search, otherwise it's just a word, so your subsearch is probably not providing any IP addresses.

If you add 

| format

to the end of the subsearch and run the subsearch on its own, you will see what the return from the subsearch looks like.

Also, your subsearch is doing this

| stats count by src servname
|fields src
|rename src as ip

there is little point in splitting by servname, as you may end up with duplicate ips in the return to the outer search, so remove that.

 

View solution in original post

Reply
Solved! Jump to solution

splunk_new1
Explorer
‎02-04-2021 09:51 AM

Thanks for your response! Yes, I did make use of the OR command. 

What's happening right now is, when I used 

(index=index1 (conditions)) OR (index=index2 (conditions))
| fields src
| rename src as ip
| format



i get the results of ( ( ip="1.1.1.1" ) OR (ip ="2.2.2.2")  etc... just like how I want it. 

If I copy that result and manually perform a 

index= index3  ( ( ip="1.1.1.1" ) OR (ip ="2.2.2.2"))
|stats count description by ip



I am able to properly get the results that I desire. 

The issue now comes when I put everything together and have it automated: 

index= index3 
      [ search (index=index1 (conditions)) OR (index=index2 (conditions))
              | fields src
              | rename src as ip
              | format ]
| stats count description by ip


For some reason the subsearch result from the subsearch index=index1 OR index=index2, the ip values do not get passed to the index3 search. 

When I run the code, I get lots of other ip addresses that are not even generated from the results of the subsearch. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-04-2021 12:55 PM

@splunk_new1 

Firstly in the real subsearch, you don't need format, as that is done automatically by the return from the subsearch, it's just a way to see what the subsearch would do when run on its own.

What data volume is getting returned from the subsearch. You are not aggregating by ip in the subsearch, so you will get duplicate ip=x conditions, one for each row returned. All you really need is the subsearch is

index= index3 
      [ search (index=index1 (conditions)) OR (index=index2 (conditions))
              | stats count by src 
              | rename src as ip 
              | fields ip ]
| stats count by ip

Note: In the about I removed 'description' in the final stats, as your example was not a valid stats command

After you run your current search, have you looked that the 'Job' dropdown tab, to see if there are any notifications about the search? If you have more than 10000 results from your subsearch, you would see a message here.

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-03-2021 10:00 PM

the 'or' must be in CAPS in your search, otherwise it's just a word, so your subsearch is probably not providing any IP addresses.

If you add 

| format

to the end of the subsearch and run the subsearch on its own, you will see what the return from the subsearch looks like.

Also, your subsearch is doing this

| stats count by src servname
|fields src
|rename src as ip

there is little point in splitting by servname, as you may end up with duplicate ips in the return to the outer search, so remove that.

 

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...