Splunk Search

check if value is in subsearch table result

matansocher
Contributor

Hi,

I need a way to check if a value is in a sub search table result.
for example I use the code that doesent work:

    index=testeda_p groupID=sloc_data 
    | search project=Periph core=ipa core_ver=* sloc_type="rtl"
    | search _time contains 
        [ search index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=* sloc_type="rtl" 
        | sort -_time 
        | dedup core_ver 
        | table _time 
    ] 
    | table project core core_ver file sloc_date sloc_type sloc upload_id _time 

Thanks

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi matansocher,
did you already tested to run the subsearch?

index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=* sloc_type="rtl" 
         | sort -_time 
         | dedup core_ver 
         | table _time 

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi matansocher,
did you already tested to run the subsearch?

index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=* sloc_type="rtl" 
         | sort -_time 
         | dedup core_ver 
         | table _time 

Bye.
Giuseppe

0 Karma

matansocher
Contributor

sure, it returns a table of time (_time field)
I will rewrite my question. I need the main search to check if the _time value it (main search) has, is in the table from the sub search. if the subsearch table contains the _time value of the main search

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi matansocher,
No you can check if the value of the subsearch is in the main search not the opposite.
Anyway I see that search and subsearch are the same, what's your need?
in addition, you don't need to divide main search, you could use

index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=* sloc_type="rtl" [ search 
    index=testeda_p groupID=sloc_data project=Periph (core=ipa) core_ver=* sloc_type="rtl" 
    | sort -_time 
    | dedup core_ver 
    | table _time 
     ] 
| table project core core_ver file sloc_date sloc_type sloc upload_id _time

Remember that using dedup you have the limit of 10,000 values, to avoid this limit use dedup 0 .

Bye.
Giuseppe

0 Karma

matansocher
Contributor

I do realize that my subsearch is pretty much the same as the main search, but i just want to understand the concept of main search field contains the value in a subsearch table result

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi matansocher,
You have a main search with all the filters you like.
One additional filter is the results of the subsearch.
Remember that the filter is related to the fields in output of the subsearch, in other words, if I have [search index=... | fields name ] , I'm adding an additional filter name=all_subsearch_values ; obvioulsy name field must be present in both the searches.
If I have in output two fields I have a filter with two fields and so on.
This means that I must always choose fields in subsearch output.

If I want to add a full test search on main search I have to modify my subsearch in [search index=... | rename name AS query| fields query ] (query is a fixed fieldname).

I hope to be exaustive.

Bye.
Giuseppe

0 Karma

matansocher
Contributor

Thank you. that was a great explanation.
I am probably doing something wrong.
I have that query :

index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=4.2.0 sloc_type="rtl"
[ search index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=4.2.0 sloc_type="rtl" 
    | sort -_time 
    | dedup core_ver 
    | table _time
    | fields _time 
] 
| table project core core_ver file sloc_date sloc_type sloc upload_id _time 

my subsearch creates a table with the field _time?
and do I put the subsearch on the right place?

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

maybe _time is in a different format between main and sub search
try using

index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=4.2.0 sloc_type="rtl"
| eval _time=strptime(_time,"%Y-%m-%d %H:%M:%S%3N")
 [ search index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=4.2.0 sloc_type="rtl" 
     | sort -_time 
     | dedup core_ver 
     | eval _time=strptime(_time,"%Y-%m-%d %H:%M:%S%3N")
     | fields _time 
 ] 
 | table project core core_ver file sloc_date sloc_type sloc upload_id _time 

Bye.
Giuseppe

0 Karma

matansocher
Contributor

the problem was that by some reason splunk didnt like the manipulation on the _time field. I just added:

| eval time = _time

and then it worked.

0 Karma

matansocher
Contributor

I have tried that and I get no results. I know it is not correct because I check the data manually. probably something I dont notice. Do you have any other idea of why it does not work?

Thanks a lot for the effort

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...