Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Related Fields

spohara79
Explorer
‎07-18-2018 08:33 AM

I have the following events:

{
    "file_name": "java.exe",
    "process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a",
    "command_line": "something",
    "parent_process_id": "c3df993f-7802-430a-9ef5-e018910aed4b"
},
{
    "file_name": "other.exe",
    "process_id": "1451fd51-bbce-4c27-999a-ee514e09529f",
    "command_line": "some^thing",
    "parent_process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a"
},
{
    "file_name": "cmd.exe",
    "process_id": "23a192cf-5f2d-4f42-a753-595b702a280b",
    "command_line": "some^thing",
    "parent_process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a"
},
{
    "file_name": "blah.exe",
    "process_id": "16ffed00-1175-4554-b4a3-0ab45e8d691f",
    "command_line": "",
    "parent_process_id": "39a6cb9d-4dd7-4c44-9ffd-d8ee9561a1a3"
}

I'm trying to pull the events without a subsearch, where I'm looking for a process that has file_name=cmd.exe and a parent process with the file_name=java.exe; In the above events, you see java.exe has two child process (other.exe and cmd.exe) and then a completely unrelated process called 'blah.exe'. I'd like to just return cmd.exe (but only if the parent_process_id matches the process_id of another event with a file_name=java.exe)

Tags (1)
0 Karma
Reply

poete
Builder
‎07-18-2018 08:54 AM

Hello @spohara,

your question looks close to this one: https://answers.splunk.com/answers/671770/getting-results-from-multiple-searches-without-app.html

If you adapt the answer to your case, this will solve it.

0 Karma
Reply

spohara79
Explorer
‎07-19-2018 02:43 PM

I don't get the expected result. It matches where all processes have a specific parent. A single process can have multiple children. I'm looking for a specific child process name.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2018 08:48 AM

Give us some example events and show which ones match with which to get your result set. I don't get it.

0 Karma
Reply

spohara79
Explorer
‎07-19-2018 02:49 PM

I did give some example events and which matches, but to clarify.. out of the above, only one event matches (the even with file_name cmd.exe)

As a joined search I use the following:

file_name=java.exe | join max=0 process_id [search file_name=cmd.exe | eval process_id=parent_process_id]

it just seems to take too long as a join.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...