In all our logs we write out the PID of the unix process. In many cases I just want to look at the latest run of a script. I do this with a query like this
System=Shark [search System=Shark | head 1 | table Pid]
this will get the latest Pid for the system called "Shark" and return only results that contain that Pid. This works very well however it will match anything with that value, not just the Pid field. Eg, in the 2 logs below it will match both logs when I don't want it to match the second. Is there some way to tell it to only match the Pid field to the value calculated from the sub search? I tried Pid=[search...] but it didn't like that.
from latest run of script
System=Shark Message="Wrote some file" Pid=100
from previous run of script:
System=Shark Message="Deleted all files" Pid=99 FileCount=100
The behaviour you want is really the default behaviour. You can run the subsearch on its own and add format
at the end to see the exact filter string it emits to the outer search. Like this:
System=Shark | head 1 | table Pid | format
From there you can check how the filter is applied. To me it sounds like your Splunk instance for some reason is extracting other fields as "Pid" as well.
The behaviour you want is really the default behaviour. You can run the subsearch on its own and add format
at the end to see the exact filter string it emits to the outer search. Like this:
System=Shark | head 1 | table Pid | format
From there you can check how the filter is applied. To me it sounds like your Splunk instance for some reason is extracting other fields as "Pid" as well.
Oh, you just rename the field, easy. System=Shark | head 1 | table Pid | rename Pid as ParentPid
Hmmm, you are right, it isn't matching against FileCount=100. For some reason I thought it was. I'd still be interested to know how to specify the field that it does match. Say I wanted to get the latest Pid but then search for all processes where ParentPid is equal to that value, ie the same as "SELECT * FROM TableX WHERE ParentPid = (SELECT TOP 1 Pid FROM TableY)"