Splunk Search

Combine 2 searches that have a subsearch

ludowillemans
Explorer

I want to get all events related to dnis=27159866
I can perform this by getting all the events with a sessionid or parentsessionid linked to the dnis=27159866

I have the following searches :

  1. to get all events with a sessionid linked to the dnis=27159866
    The subsearch will get all sessionid linked to dnis=27159866 and then the search looks for all events with those sessionid's.

    sourcetype=vxml [search dnis=27159866 | fields sessionid]

  2. to get all events with a parentsessionid linked to the dnis=27159866
    The subsearch will get all sessionid linked to dnis=27159866, put it in the parentsessionid field and then the search looks for all events with those parentsessionid's.

    sourcetype=vxml [search dnis=27159866 | eval parentsessionid=sessionid | fields parentsessionid]

How can I combine those 2 searches in one search ?
So events where sessionid OR parentsessionid is equal to a value returned from the subsearch.

0 Karma
1 Solution

tom_frotscher
Builder

is it correct, that both of your subsearches have the same results? The only difference i can see is that in the first subsearch everything you return is stored in the field called sessionid and in the second subsearch you retrieve the same results but rename it to parentsessionid?

Isn't it possible to combine this to something like this:

sourcetype=vxml [search dnis=27159866 | eval parentsessionid=sessionid | fields sessionid parentsessionid]

It might be possible that you have to play around with the format command, to ensure that the results of your subsearch are concatenated as ((sessionid=123 OR parentsessionid=123) OR (sessionid=345 OR parentsessionid=345)...).

View solution in original post

tom_frotscher
Builder

is it correct, that both of your subsearches have the same results? The only difference i can see is that in the first subsearch everything you return is stored in the field called sessionid and in the second subsearch you retrieve the same results but rename it to parentsessionid?

Isn't it possible to combine this to something like this:

sourcetype=vxml [search dnis=27159866 | eval parentsessionid=sessionid | fields sessionid parentsessionid]

It might be possible that you have to play around with the format command, to ensure that the results of your subsearch are concatenated as ((sessionid=123 OR parentsessionid=123) OR (sessionid=345 OR parentsessionid=345)...).

ludowillemans
Explorer

yes, I added the format and I get the result that i wanted.

sourcetype=vxml [search dnis=27159866 | eval parentsessionid=sessionid | fields sessionid parentsessionid
| format "(" "(" "OR" ")" "OR" ")"]

richgalloway
SplunkTrust
SplunkTrust

If this solves your problem, please convert the comment to an answer and accept it. This will help others with similar problems in the future.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...