Splunk Search

Why are my nested subsearches failing?

sfrazer
Explorer

Hello,

I'm running into a problem where if I nest subsearches too far, I start to return no results. I'm unable to find a published limit of nesting, though. Is there one?

The search I'm trying to run can be paraphrased like so:

sourcetype=weblogs  status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | chart count over ip by status

In plainspeak: I have a firewall listing of IP addresses that have been blocked and I put that into a table. I use that table to find web requests that have a status=410 and put all those IP addresses into a table. I then use that table to find web requests that have a status=200 and put all those IP addresses into a table.

This table now has the IP addresses of people who have been blocked by the firewall and also seen status=200 AND status=456 at some point in the last 3 days. And this works (returning about 40 addresses) until I put that final wrapper on it to show the counts by status, at which point I get no results.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Can you just try adding a table/fields with status and ip before the chart command and run the search without chart to make sure that status and ip are listed and then add the chart command. Something like below.

 sourcetype=weblogs  status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | fields status,ip| chart count over ip by status
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Can you just try adding a table/fields with status and ip before the chart command and run the search without chart to make sure that status and ip are listed and then add the chart command. Something like below.

 sourcetype=weblogs  status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | fields status,ip| chart count over ip by status
Happy Splunking!
0 Karma

sfrazer
Explorer

I'm sure I understand why that fixed it, but it did.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...