Splunk Search

Using Subsearch to Narrow Data: Contradictory and Inefficient?

ktrumpol
Path Finder

Hey spelunkers,

I am using a search that has many conditionals, and each conditional further narrows the pile of results. This search narrows logs down by information contained in their messages. I am having a problem with the very last conditional. The conditional is to only print CPU messages IF "temperature" or "running" is also in the log. (cpu and temperature) or (cpu and running) will eliminate all non cpu logs, which I want to keep. I have tried many spin-offs on logic like NOT (CPU AND NOT (Temperature OR Running)), trying to say NO to cpu messages if temp or running is NOT in there with it. Let me give an example of what I want. Let's say the below 4 logs are all that is left after passing all the previous conditionals of the search.

log 1: kernel error56483...etc

log 2: cpu over temperature...etc

log 3: cpu left running...etc

log 4: cpu error no harm...etc

I want to keep log 1, 2, and 3. Log 1 was relevant to my previous conditionals, and 2 and 3 have the cpu errors I am looking for. Log 4 is the type of log I want eliminated. It managed to match a previous conditional, but because it contains the word 'cpu' in it without 'temp' or 'running' I know it possesses no significance.

So below is what I did to take care of this, using a subsearch. This seems inefficient and I am hoping I can write a conditional for it in my first search so I do not have to use a subsearch.

source="wineventlog:" a bunch of conditionals...NOT cpu | append [ search source="wineventlog:" cpu AND (temperature OR running) ]**

Basically what this does, after all the narrowing in the first search, is at the end it eliminates ALL cpu messages. Then the subsearch does another whole query ONLY finding 'cpu and temp' or 'cpu and running', and attaches this to the first search, so that along with all the other logs I want (like example 1) I now also have cpu messages that only contain temp or running. Hopefully you understand.

This produces the results I want it to, logs 1 2 and 3, but I am trying to figure out a more efficient way to do this.

Thanks for any help!

0 Karma
1 Solution

grijhwani
Motivator

Why not just use parentheses in your original search query?

index=meh source=meh ( ( conditional set 1) AND NOT "cpu" ) OR (conditional set 2)

Am I missing something fundamental about your question? (NB not a Windows user, so perhaps the context makes a difference.)

View solution in original post

grijhwani
Motivator

Why not just use parentheses in your original search query?

index=meh source=meh ( ( conditional set 1) AND NOT "cpu" ) OR (conditional set 2)

Am I missing something fundamental about your question? (NB not a Windows user, so perhaps the context makes a difference.)

grijhwani
Motivator

Sometimes it's the obvious that gets overlooked. I do it all the time.

0 Karma

ktrumpol
Path Finder

Maybe because I never thought of doing it like that...I was so focused on making a certain ending conditional that I did not actually think to put paren around my whole search, and separate the entire search from the cpu conditional with an OR. Pretty much looks like my example, but without the subsearch and an OR instead.

If I run into issues with this I'll come back but I tested it for 10 minutes and it seems to work as I wanted.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...