- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use search results to drive secondary searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is a log set example:
[Jan 19 09:35:00.00] VERBOSE[11111]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:10.00] VERBOSE[22222]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:20.00] VERBOSE[11111]: bar, bar, "some text")
[Jan 19 09:35:30.00] VERBOSE[22222]: bar, bar, "some different text")
I have REGEX'd the following fields:
- x-cid: AAAAA
- PID: 11111
- PID: 22222
Using the above log set example, I want to search for AAAAA and return all 4 log events.
Effectively, the query will first search for AAAAA, capture the PIDs, then do a sub search for the PIDs (both) and return the full results.
I have been playing with append, appendpipe, join... but can't figure out the subsearch.
Thanks in advance for the guidance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this
index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search
Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this
index=foo sourcetype=bar ((PID=11111) OR (PID=22222))
And it should fetch all the records that you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this
index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search
Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this
index=foo sourcetype=bar ((PID=11111) OR (PID=22222))
And it should fetch all the records that you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 - Thanks. Subsearching has always been a struggle for me, but that fixed it.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
