Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to perform a secondary search on each result?

uostg
Engager
‎11-16-2015 07:17 AM

I have a search that shows network activity destined for specific IP addresses I'm interested in:

host="logserver" 1.2.3.4 OR 4.5.6.7 OR | dedup src | table src,_time

src is an extracted field showing the source IPs which have sent traffic to the destination IPs listed in the search.

I want to take each result row and perform another search on this data, to look up the MAC address from the DHCP logs. Unfortunately, time becomes a limiting factor here. The output of the first search shows when the communication took place, but the DHCP log will be at a time previous to this.

I have another search that I can plug in IP & time pairs to output the MAC address:

host=logserver $IP$
        timeformat="$tf$" endtime="$ts$"     
        | table _time dhcp_mac_addr 
        | head 1

This search uses input fields from a dashboard to allow the user to enter the "IP", "TF" and "TS" variables.

Put simply, I want to append a column to the end of the statistics table output by the first search, to show the dhcp_mac_addr field extracted from the second search, with the IP and TS values passed between the two searches.

Subsearches don't seem to allow passing variables between them and the data isn't two tables which can be easily JOINED together (due to the time differences).

Is there a way to create a search "function" which can be called for each search result row (e.g. mac_add_lookup("IP","TS"))? That would be ideal....

Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-16-2015 09:55 AM

Hey @uostg - nice question. It sounds like you're interested in the map command, the definition is almost exactly what you're asking for:

The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search, a current search, or a subsearch.

Furthermore, it supports $field$ passing

In your last sentence, you ask about creating a function - you can emulate a function so to speak by creating a macro. @ mention here if you need help.

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-16-2015 09:55 AM

Hey @uostg - nice question. It sounds like you're interested in the map command, the definition is almost exactly what you're asking for:

The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search, a current search, or a subsearch.

Furthermore, it supports $field$ passing

In your last sentence, you ask about creating a function - you can emulate a function so to speak by creating a macro. @ mention here if you need help.

Reply
Solved! Jump to solution

_dave_b
Communicator
‎11-20-2015 02:08 PM

Glad I happened to see your reply, as I've been wondering about those same capabilities. Thanks for sharing!

0 Karma
Reply
Solved! Jump to solution

uostg
Engager
‎11-16-2015 11:32 AM

That is exactly what I was looking for! Thank you so much!

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...