Joining entries using IDs

m_hunger · ‎08-15-2012

Hi,

I am trying to extract an ID from a search and append the results using the extracted ID.

Example:
Search: host="hostname" 32351
<190>Aug 15 11:28:02 hostname sshd[32351]: User child is on pid 32353

Now I would like to append the entries including the child pid, e.g.
Search: host="hostname" 32351 OR 32353 without having to type "OR 32353".

Here, Splunk adds all entries with all child pid's and not only those from the main search:
host="hostname" pid=32351 | append [search host="hostname" | fields + childpid]

So I am probably missing something before append. I hope it is enough information.

m_hunger · ‎08-15-2012

At least it makes a correct connection, but I need the complete logentries.

What I basically need is:
SELECT * FROM sshd a, internal-sftp b WHERE a.pid="1000" AND a.childpid = b.pid;

kristian_kolb · ‎08-15-2012

see update above /k

Ayn · ‎08-15-2012

Did you look into using transaction?

kristian_kolb · ‎08-15-2012

If you have the field extractions for pid and childpid configured already, you could simply get the children of a pid by

host=hostname | stats values(childpid) by pid

UPDATE:

Hmm, not 100% sure I follow you, but...

host=hostname pid=12345 OR [search host=hostname pid=12345 | rename childpid as pid | fields + pid]

..something like this might work.

/k

Hope this helps,

Kristian

Joining entries using IDs

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life