Splunk Search

How to pipe the results of a search containing host names to a new search?

peterdawood
New Member

A noob here, but I have a need that I cannot seem to figure out.

Due to some internal politics that are slow in getting resolved, I cannot get them to create an index by server OS or by AD OU. I am trying to filter on Windows Servers. I need to understand how to take a search that returns host names and then pipe them to a search for, say an EventID. The search that I start with is

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host

Thanks in advance.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this. Basically use the subsearch to get host names and use those host name as filter in main/base search

..your base search like index=ucs...  [search (index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | dedup host | table host] ..other filters like EventID="Something"
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi peterdawood,

you can start with this search, where you add all additional fields to the base search:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* EventID=* | deduce host

or you filter after the next | which will be not as efficient as the first search and you could also miss some events that does not contain host but contain EventID because the base search only searches for host:

(index=ucs) host=* (WLS_WMI MonitorName="OperatingSystem") Caption=*Server* | deduce host | search EventID=* | do more Splunk> Fu

And here is a freebie, read the slides and learn much about search efficiency: http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_...

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...