Combine results of subsearch into single value

kholleran · ‎07-30-2010

Hello,

Right now I have a search that says:

source="syslog" minutesago="20" | APPEND [search host="SERVER" Event="SUCCESSFUL_LOGIN" minutesago=30 | fields Account_Name]

So the first search returns some results. What I want to do is have a single value from the multiple results of the second search. So, the sub search returns results like:

Account1 Account2 Account3

My goals is to have this a single value that is appended to each result of the first search

Result1 - Account1,Account2,Account3 Result2 - Account1,Account2,Account3

Or something along those lines. Basically, when the syslog is triggered, I want to know who logged into SERVER in the last half hour.

I was looking at the mvjoin() function but I am not sure how to pass the search results to it.

Thanks for any help.

Kevin

Stephen_Sorkin · ‎08-17-2010

You can use the join command instead of the append command to enrich the results of the outer search.

Assuming your subsearch yields just one result, and there were no fields in common to tie the searches together, you would write the search as:

source="syslog" minutesago="20"
| eval id = 1
| join id [search host="SERVER" Event="SUCCESSFUL_LOGIN" minutesago=30 | fields Account_Name | eval id = 1]

If you do have an id to tie the rows from the subsearch to the outer search, you can drop the evals and use the field name as the first argument to join.

Combine results of subsearch into single value

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor