Splunk Search

How to use search results to drive secondary search?

lennys26
Communicator

Below is a log set example:

[Jan 19 09:35:00.00] VERBOSE[11111]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:10.00] VERBOSE[22222]: foo, foo, "x-cid: AAAAA")
[Jan 19 09:35:20.00] VERBOSE[11111]: bar, bar, "some text")
[Jan 19 09:35:30.00] VERBOSE[22222]: bar, bar, "some different text")

I have REGEX'd the following fields:
- x-cid: AAAAA
- PID: 11111
- PID: 22222

Using the above log set example, I want to search for AAAAA and return all 4 log events.
Effectively, the query will first search for AAAAA, capture the PIDs, then do a sub search for the PIDs (both) and return the full results.

I have been playing with append, appendpipe, join... but can't figure out the subsearch.

Thanks in advance for the guidance.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this

index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search

Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this

index=foo sourcetype=bar ((PID=11111) OR (PID=22222))

And it should fetch all the records that you want.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming the field extraction for x-cid (with field name as x_cid) and PID is saved in conf files, try like this

index=foo sourcetype=bar [search index=foo sourcetype=bar x_cid="AAAAA" | stats count by PID | table PID ] | rest of the search

Basically the subsearch get the PIDs which correspond to x_cid="AAAAA", and includes a dynamic giant OR condition to filter events. In your example above, the subsearch should return 11111 and 22222 and your normalized search would be like this

index=foo sourcetype=bar ((PID=11111) OR (PID=22222))

And it should fetch all the records that you want.

0 Karma

lennys26
Communicator

@somesoni2 - Thanks. Subsearching has always been a struggle for me, but that fixed it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...