Splunk Search

subsearch not returning selected field values

scc00
Contributor

I am trying to map a users activity once they've logged into a vdi session to when they log into a specific application. My search is as follows: I have tried using the return, fields + and join commands to make this work. Each search returns values individually but together I get nothing. Thoughts?

Searches:

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

OR

Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | return 100 user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

OR

Index=* user=xxx* computer=vdi*| join user max=0 [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time

updated to mark code

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This is your first query. The only thing I've changed is to switch from fields to table and then added dedup.

index=* user=xxx* computer=vdi* 
    [ search sourcetype=something user=user1 event="*logged*" 
    | table user, event | dedup user, event] 
| eval hostname=coalesce(computer, host) 
| table _time, user, hostname, event 
| sort 0 - _time

The table command eliminates all fields except the ones listed, whereas the fields command leaves some internal fields like _time, which after it goes through the implicit format command at the end of the subsearch (when it hits the close bracket ]), is going to mess with retrieving the records .

To see the difference, compare the output of these -

    sourcetype=something user=user1 event="*logged*" 
    | fields + user, event 
    | format 

    sourcetype=something user=user1 event="*logged*" 
    | table user, event 
    | format 

Updated to include the asterisks that the interface had removed from OP's search

0 Karma

scc00
Contributor

Unfortunately, neither of these suggestion worked. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login? assuming the VDI login ID for the user may differ from the application user ID?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, I marked your code as code, so the asterisks showed up. I updated my code to include them.

"Did not work" doesn't give us anything to go on. Please be very specific about what does or does not occur. Did the last two samples produce any results? Did the difference make sense to you?

0 Karma

scc00
Contributor

My apologies. I meant the searches came back empty when I run each option you mentioned. If i separate the subsearch from the main search, it returns values but not together.

index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

OR
index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| fields+ user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

0 Karma

scc00
Contributor

Additionally, when I use the join command shown below it only gives me the main search. I need it to do a comparison between the user in the subsearch and pull only corresponding results from the main search specific to that users activities. Sometimes the user may be different from the user within the subsearch.

index=* user=xxx* computer=vdi* | join user type=left [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi scc00,
try something like this

index= user=xxx computer=vdi*
| join user type=left [search sourcetype=something user=user1 event="logged" | fields user event ]
| eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 -_time

Bye.
Giuseppe

0 Karma

scc00
Contributor

Thanks Giuseppe, so this only gives me one side of the data. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...