Hi All,
I stumbled into this difficulty when trying to create a child object that (I think ..) need sub search. I have a log from my mailserver as shown below .. each line is an event. I set the sourcetype=SMTP_logs. I manually extracted some fields such as sessionid, mail_from, mail_to, and status.
I successfully created an object in my data model named "SMTP" which has constraint string "sourcetype=SMTP_logs". OK, that part is easy.
And then I want to create a child object that only contains successful SMTP session. As from my logs example below, sessionid 001 and 003 are successful, but not so with sessionid 002. How to select only the events that has successful sessionid ? So only events from sessionid 001 and 003 are selected.
In a normal search, I could simply do a subsearch like [search sourcetype=SMTP status=successful | fields sessionid], it will returns all the successful sessionid. I learned this technique from my previous question in this community forum. But pipes "|" as in "| fields sessionid" is not allowed in the constraint strings when doing child object creation.
Any suggestion on how to achieve this ?
Sourcetype=SMTP_logs
00:05 [001] MAIL FROM : abc@domain1.com
00:05 [001] MAIL TO : xyz@domain2.com
00:06 [002] MAIL FROM : name@mydom.com
00:07 [001] SUBJECT : "Why dogs have 4 legs"
00:11 [002] Email from mydom.com is not allowed
00:11 [002] STATUS : terminated
00:11 [001] Receiving email data ..
00:12 [003] MAIL FROM : puppy@animal.com
00:13 [003] MAIL TO : klm@domain2.com
00:13 [003] SUBJECT : "A newborn puppy"
00:14 [001] Email data completed
00:14 [001] STATUS : successful
00:14 [003] Receiving email data ..
00:21 [003] Email data completed
00:21 [003] STATUS : successful
If you extract the status in your parent object, you can set the constraint on the child object to "status=successful" which will do the filtering you want.
Hi Frank,
The Child Object has an Inheritance aspect that functions as the "pipe".
Check out this example, which is basically what you're looking for:
http://docs.splunk.com/Documentation/Splunk/latest/PivotTutorial/Addchildobjects
So it isn't so much a sub search required as you're just looking to filter on a particular status and the child object inherits the previous constraints from the parent object... but only specifically as you designate.
So what you need to do is make sure that you have a parent object that is set up so that the child can inherit properly... think of each level as what lives "between the pipes" but you get to pick and choose which ones to use.
If you're not completely sure... you can test things out by creating a pivot on the data model and then using the job inspector to see the search that Splunk used... it will show you the whole thing spelled out in search language and you can see if that's what you intended.