Splunk Search

Searching over list from subsearch

adam_reber
Path Finder

I don't seem to be able to wrap my head around this search. I have a set of data that uses a unique ID to tie a chain of actions together across multiple events. I want to search through the index, find the IDs from all of the events that match match_criteria1, then return any event in the index that has one of those IDs.

name   ID   other field
------ ---  ----------------
event1  A   match_criteria1
event2  B   match_criteria1
event3  C   match_criteria1
event4  A   something
event5  B   something
event6  D   something else
event7  E   other data
event8  E   other data 2

Should return:

name   ID   other field
------ ---  ----------------
event1  A   match_criteria1
event2  B   match_criteria1
event3  C   match_criteria1
event4  A   something
event5  B   something

Any ideas?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=Blah sourcetype=blah [search index=Blah sourcetype=blahh other_field=match_criteria1 | stats count by ID | table ID ] | table name ID other_field

adam_reber
Path Finder

Hmm.. that's exactly what I've seen examples of and tried, but it isn't returning any results. I need to do an eval on the criteria field, perhaps that is messing it up.

If you append a search like that, which is generating a single column table, is it equivalent to
"field=a OR field=b OR field=c"?
- OR -
"a OR b OR c"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes The Subsearch with generate the OR condition like that..
Could you share the query that you tried (and failed), we can see any possible issues with that?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...