- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How does subsearch work?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to create a new search based off of results of previous search. My example below I use regex to extract a new column with all my users names that are extracted from User.
index="source1" source="event-source" rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
My goal would be to then create a new search of each user in another source
[Pesudo EXample] index-source1 source-user-source | search User | Select Id, name, phone, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks something like this ...
index-source1 source="user-source"
[ search index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
]
| table Id, name, phone, etc.
To see why this works, you should look at the format command. It takes all the events from the search and puts them into a field called search in this format
( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... )
To see what that looks like, run this...
index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
| format
...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named search.
(There are also a couple of other possibilities, like using the return verb, but those are what matter for your question here.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks something like this ...
index-source1 source="user-source"
[ search index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
]
| table Id, name, phone, etc.
To see why this works, you should look at the format command. It takes all the events from the search and puts them into a field called search in this format
( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... )
To see what that looks like, run this...
index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
| format
...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named search.
(There are also a couple of other possibilities, like using the return verb, but those are what matter for your question here.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for such a detailed response. I really appreciate the explanation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What he said.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this is very common. You do it with a subsearch:
http://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutsubsearches
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
