Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Matching specific fields in main search with the results from subsearch

spj2
New Member
‎12-02-2013 07:34 PM

I am monitoring a directory with multiple CSV files and indexing these to say an index "ABC". The goal is to extract a field "IP" from this index and match it against multiple fields (src_ip, dst_ip) in different sourcetypes which will be the main search.

I am using the following query:

sourcetype=FW [search index=ABC| rename IP as search | fields search |format]

This query returns events from sourcetype=FW where any field matches "IP" and it's slow. I would like to search the "IP" only in src_ip and dst_ip fields in the FW.

How can I achieve this? Is subsearch the right solution in this case, because the list of "IP" in index "ABC" is going to get longer everyday?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 10:28 PM

I am not sure that this will be better, but try it:

sourcetype=FW [ search index=ABC 
      | dedup IP | eval src_ip=IP | eval dest_ip=IP | fields src_ip dest_ip
      | format "(" "(" "OR" ")" "OR" ")" ]

You don't really need all the parentheses in the format command, but it was hard to read when I substituted spaces instead. And the end result will be the same.

It is only one subsearch instead of two, and it will specify the fields to search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 10:28 PM

I am not sure that this will be better, but try it:

sourcetype=FW [ search index=ABC 
      | dedup IP | eval src_ip=IP | eval dest_ip=IP | fields src_ip dest_ip
      | format "(" "(" "OR" ")" "OR" ")" ]

You don't really need all the parentheses in the format command, but it was hard to read when I substituted spaces instead. And the end result will be the same.

It is only one subsearch instead of two, and it will specify the fields to search.

0 Karma
Reply
Solved! Jump to solution

spj2
New Member
‎12-03-2013 06:31 AM

Thanks somesoni2 and lguinn. Both the solutions worked and took exactly the same amount of time.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-02-2013 10:22 PM

Try This

sourcetype=FW [search index=ABC | stats count by IP | rename IP as src_ip | fields - count] OR [search index=ABC | stats count by IP | rename IP as dst_ip | fields - count]

This will take unique values of IP from index=ABC (stats is the fastest way) then using subsearch a clause will be added as filter "src_ip=". Same is repeated for dst_ip, added as OR clause.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-02-2013 10:19 PM

What is in the CSV files? Do they contain time-stamped events, or are they more like lists or tables of IP addresses?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...