Hello!
I'm interested in passing a result or results (a list of users from proxy logs) from a subsearch into a field in my parent search (against AV logs). I tried using eval, but was unsuccessful. Is it possible to pass results from a subsearch into a variable? Any help would be appreciated!
Something like this doesn't work:
index=MyData sourcetype=AV_logs user=[index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc
Remove user=
in your main search. Like this
index=MyData sourcetype=AV_logs [index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc
I'm still not having any luck with my query. When I run my subsearch separately, it successfully produces a table of values, but when it's with a parents search, I get "no results found." Is there a way to pass values from a subsearch directly to a field in my parent search?
Thanks for your help!
subsearches should start with [ search
.
Line @sinash said. This would be the updated query
index=MyData sourcetype=AV_logs [search index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc
Do you get valid results when you run the main search and the sub search separately? Are there any matching?
The option would be to try grouping.. like this
(index=MyData sourcetype=AV_logs) OR (index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk") | stats values(event) as event values(sourcetype) as st by user | where mvcount(st)=2
There are matching results for the fields I'm interested in in both the main and sub searches.
Check fieldnames in both, they are case sensitive. Did you try the second option? Also, there are limitation to subsearch, how many events do both searches return?
I'm actually testing this with two sets of web traffic logs since most of the data is similar. Both return 3000+ results (source IP) using dedup for a 15 minute period.
I haven't tried the other option you suggested. I'm not sure what the "values(event)," "st by user," or "mvcount(st)" means as I've never used them. Is there something I can reference for more information?