Splunk Search

filtered sub search

athorat3
New Member

Hi

I want to search for Text A on a index and find the Source Files and then on these source files search for Text B
so if Text A is found then Search for B and return Source files.

A and B are separate events in the same source files.

Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi athorat3.
let me understand: do you need events where there is TextA and TextB and take the list of source files or do you want to serve events with TextA and then search on the source filenames TextB?
In the first case try:

Index=your_index sourcetype=your_sourcetype TextA TexB 
| stats count by source

in the second case, try:

Index=your_index sourcetype=your_sourcetype TextA 
| fields source 
| search [ search Index=your_index sourcetype=your_sourcetype TexB | rename TextB AS query ] 
| stats count by source 

Bye.
Giuseppe

0 Karma

athorat3
New Member

Thank you for replying back.
yes pretty much the second scenario

When Text A is available then search on the sources for text B

SO . if I see : Project Implemented successfully^ . i need to search for "exit Status 1^"

When I do show source for the event( Project Implemented successfully^ ) I see this which has "exit status 1^" at the end of the file.

^2017-06-21T19:27:01Z|||{node=0001f-*********************************************************/returns: Project Implemented successfully^
^2017-06-21T19:27:01Z|||{node=0001f-node=0001f-
******************************************************/r
^2017-06-21T19:27:01Z|||{node=0001f-node=0001f-
*********************************************************/\
.
.
.
.
.
^2017-06-21T19:27:34Z|nodeend||{executionState=FAILED|failureReason=NonZeroResultCode|node=0001f-idxx02.tableausandbox.com|resultCode=1|step=10|stepctx=10|user=SYSTEM}|Remote command failed with exit status 1^

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi athorat3.
I understood that you wanted search TextB on the names of source files and not on the events: if you want to search TextB in events it's better to use the first scenario because is quicker.

If instead you want to search not all TextB but only TextB that are at the end of each row, you have to use regex command, something like this:

Index=your_index sourcetype=your_sourcetype "Project Implemented successfully" 
| regex "exit\sstatus\s1$"
| ...

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...