How to pipe the results of a search containing hos...

peterdawood · ‎10-26-2015

A noob here, but I have a need that I cannot seem to figure out.

Due to some internal politics that are slow in getting resolved, I cannot get them to create an index by server OS or by AD OU. I am trying to filter on Windows Servers. I need to understand how to take a search that returns host names and then pipe them to a search for, say an EventID. The search that I start with is

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host

Thanks in advance.

somesoni2 · ‎10-26-2015

Try something like this. Basically use the subsearch to get host names and use those host name as filter in main/base search

..your base search like index=ucs...  [search (index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host | table host] ..other filters like EventID="Something"

MuS · ‎10-26-2015

Hi peterdawood,

you can start with this search, where you add all additional fields to the base search:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* EventID=* | deduce host

or you filter after the next | which will be not as efficient as the first search and you could also miss some events that does not contain host but contain EventID because the base search only searches for host:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | deduce host | search EventID=* | do more Splunk> Fu

And here is a freebie, read the slides and learn much about search efficiency: http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_...

Hope this helps ...

cheers, MuS

How to pipe the results of a search containing host names to a new search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life