Splunk Search

Subsearch in Pivot child object creation

frankagustinus
Explorer

Hi All,

I stumbled into this difficulty when trying to create a child object that (I think ..) need sub search. I have a log from my mailserver as shown below .. each line is an event. I set the sourcetype=SMTP_logs. I manually extracted some fields such as sessionid, mail_from, mail_to, and status.

I successfully created an object in my data model named "SMTP" which has constraint string "sourcetype=SMTP_logs". OK, that part is easy.

And then I want to create a child object that only contains successful SMTP session. As from my logs example below, sessionid 001 and 003 are successful, but not so with sessionid 002. How to select only the events that has successful sessionid ? So only events from sessionid 001 and 003 are selected.

In a normal search, I could simply do a subsearch like [search sourcetype=SMTP status=successful | fields sessionid], it will returns all the successful sessionid. I learned this technique from my previous question in this community forum. But pipes "|" as in "| fields sessionid" is not allowed in the constraint strings when doing child object creation.

Any suggestion on how to achieve this ?

Sourcetype=SMTP_logs

00:05 [001] MAIL FROM : abc@domain1.com

00:05 [001] MAIL TO : xyz@domain2.com

00:06 [002] MAIL FROM : name@mydom.com

00:07 [001] SUBJECT : "Why dogs have 4 legs"

00:11 [002] Email from mydom.com is not allowed

00:11 [002] STATUS : terminated

00:11 [001] Receiving email data ..

00:12 [003] MAIL FROM : puppy@animal.com

00:13 [003] MAIL TO : klm@domain2.com

00:13 [003] SUBJECT : "A newborn puppy"

00:14 [001] Email data completed

00:14 [001] STATUS : successful

00:14 [003] Receiving email data ..

00:21 [003] Email data completed

00:21 [003] STATUS : successful

0 Karma

aneels_splunk
Splunk Employee
Splunk Employee

If you extract the status in your parent object, you can set the constraint on the child object to "status=successful" which will do the filtering you want.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Hi Frank,

The Child Object has an Inheritance aspect that functions as the "pipe".
Check out this example, which is basically what you're looking for:

http://docs.splunk.com/Documentation/Splunk/latest/PivotTutorial/Addchildobjects

So it isn't so much a sub search required as you're just looking to filter on a particular status and the child object inherits the previous constraints from the parent object... but only specifically as you designate.

So what you need to do is make sure that you have a parent object that is set up so that the child can inherit properly... think of each level as what lives "between the pipes" but you get to pick and choose which ones to use.

If you're not completely sure... you can test things out by creating a pivot on the data model and then using the job inspector to see the search that Splunk used... it will show you the whole thing spelled out in search language and you can see if that's what you intended.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...