Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I run another search based on the results of a previous search?

mbenitezr
Explorer
‎03-19-2015 10:46 AM

Hi

I want to search the command "kill" on source bash_command=kill* and search the process from sourcetype=ps

Thanks a lot.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-19-2015 01:14 PM

Yes, you would use a subsearch. The subsearch is evaluated first, and is treated as a boolean AND to your base search.

Example:

sourcetype=ps [search bash_command=kill* | fields ps]

View solution in original post

Reply
Solved! Jump to solution

bandit
Motivator
‎03-25-2015 09:09 AM

Note: the the subsearch (child search) will append PID=### to the primary (parent search) where ### is the PID digits. If the parent search does not know what the field PID is, it won't work. I made some minor tweaks to the regex. Also typesource should be "sourcetype".

sourcetype=ps [ search bash_command=kill* | rex field=bash_command "kill\s+(?<PID>\d+)" | dedup PID | fields PID ]

you could do a manual test of the primary search by hard coding the PID you are looking for as a test. If the manual test doesn't work, then the dynamic sub search won't work.

i.e.

sourcetype=ps PID="###"

Alternate search which will just search for the PID as a string instead of as a field. Might result in false positive matches.

sourcetype=ps [ search bash_command=kill* | rex field=bash_command "kill\s+(?<PID>\d+)" | dedup PID | fields PID | rename PID as search ]

More or less equivalent to a manual search of

sourcetype=ps "###"
Reply
Solved! Jump to solution

mbenitezr
Explorer
‎03-27-2015 03:10 PM

thanks a lot

0 Karma
Reply
Solved! Jump to solution

mbenitezr
Explorer
‎03-24-2015 11:13 AM

hello again,

I have this:

(sourcetype=ps) | search [search bash_command=kill* | rex field=bash_command "kill (?.+[0-9])" | dedup PID |fields PID ]

But don't work, i now i need split PID, but, i want first somo data

thanks a lot to rob_jordan and masonmorales

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎03-24-2015 11:51 AM

Glad it worked out. Could you click "Accept Answer" please?

0 Karma
Reply
Solved! Jump to solution

mbenitezr
Explorer
‎03-24-2015 12:37 PM

it is not working well, i want to search the process was killed in typesouce ps, but i can't do it

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎03-24-2015 01:57 PM

Could you post sample data from each source please?

0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-19-2015 01:14 PM

Yes, you would use a subsearch. The subsearch is evaluated first, and is treated as a boolean AND to your base search.

Example:

sourcetype=ps [search bash_command=kill* | fields ps]

Reply
Solved! Jump to solution

mbenitezr
Explorer
‎03-27-2015 03:10 PM

you just have change typesource for sourcetype

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎03-27-2015 04:15 PM

Yes, sorry, I thought "typesource" was a field extraction that you had. If your sourcetype is called "ps" then it is "sourcetype=ps [search bash_command=kill* | fields ps]"

My apologies for any confusion that may have caused.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...