Splunk Search

Combine results of subsearch into single value

kholleran
Communicator

Hello,

Right now I have a search that says:

source="syslog" minutesago="20" | APPEND [search host="SERVER" Event="SUCCESSFUL_LOGIN" minutesago=30 | fields Account_Name]

So the first search returns some results. What I want to do is have a single value from the multiple results of the second search. So, the sub search returns results like:

Account1 Account2 Account3

My goals is to have this a single value that is appended to each result of the first search

Result1 - Account1,Account2,Account3 Result2 - Account1,Account2,Account3

Or something along those lines. Basically, when the syslog is triggered, I want to know who logged into SERVER in the last half hour.

I was looking at the mvjoin() function but I am not sure how to pass the search results to it.

Thanks for any help.

Kevin

Tags (3)

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can use the join command instead of the append command to enrich the results of the outer search.

Assuming your subsearch yields just one result, and there were no fields in common to tie the searches together, you would write the search as:

source="syslog" minutesago="20"
| eval id = 1
| join id [search host="SERVER" Event="SUCCESSFUL_LOGIN" minutesago=30 | fields Account_Name | eval id = 1]

If you do have an id to tie the rows from the subsearch to the outer search, you can drop the evals and use the field name as the first argument to join.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...