Splunk Search

Searching a second source type based on a list of results from a first search

dreeck
Path Finder

I would like to find lines in log A based on the results of search B, but havent been able to get what I want using subsearches (or havent been using them right). Suggestions?

Search B gives me a list of IDs that could be 100 ids long
index=foo sourcetype=bar a.long.api.domain.identifier | chart dc(A_session_id) by A_session_id

I'd like Search A to give me a list of lines containing at least 1 of the A_session_ids, and also matching a few other characteristics:
index=foo sourcetype=bar2 A_session_id "and.another.identifier" (In this case, I'm hoping "A_session_id" is a list of IDs returned by the first searchO

Heres how I tried my subsearch:
index=foo sourcetype=bar2 and.another.identifier [search sourcetype=bar a.long.api.domain.identifier | chart dc(ts) by A_session_id]

thanks in advance! Sorry for the noob questions

Any tips?

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If search A contains a field with the same name and value as A_session_id from searchB, try like this

index=foo sourcetype=bar2 "and.another.identifier" [search sourcetype=bar a.long.api.domain.identifier | chart dc(ts) by A_session_id | table A_session_id ]

If search A contains a field with the different name but same value as A_session_id from searchB, try like this

index=foo sourcetype=bar2 "and.another.identifier" [search sourcetype=bar a.long.api.domain.identifier | chart dc(ts) by A_session_id | table A_session_id | rename A_session_id as fieldNameInSearchALogs ]

If search A doesn't contain a field but you want to do a text/string based search, try like this

index=foo sourcetype=bar2 "and.another.identifier" [search sourcetype=bar a.long.api.domain.identifier | chart dc(ts) by A_session_id | table A_session_id | rename A_session_id as search ]
0 Karma

dreeck
Path Finder

I tried approach 3 - this works, but only shows results for a single value in A_session_id. For example, when I run ah hour long search with a search like this:

index=foo sourcetype=bar2 "and.another.identifier" [search sourcetype=bar a.long.api.domain.identifier | chart dc(ts) by A_session_id | table A_session_id | rename A_session_id as search ]

I get show lines from sourcetype=bar2 including a single value for A_session_id

If I run just the sub search "sourcetype=bar a.long.api.domain.identifier | chart dc(ts) by A_session_id | table A_session_id |" I get 6k+ lines.

Is it possible it's only passing 1 result?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...