- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Related Fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Fields
I have the following events:
{
"file_name": "java.exe",
"process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a",
"command_line": "something",
"parent_process_id": "c3df993f-7802-430a-9ef5-e018910aed4b"
},
{
"file_name": "other.exe",
"process_id": "1451fd51-bbce-4c27-999a-ee514e09529f",
"command_line": "some^thing",
"parent_process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a"
},
{
"file_name": "cmd.exe",
"process_id": "23a192cf-5f2d-4f42-a753-595b702a280b",
"command_line": "some^thing",
"parent_process_id": "0fb9dcff-c345-4d76-ae53-af46cd34524a"
},
{
"file_name": "blah.exe",
"process_id": "16ffed00-1175-4554-b4a3-0ab45e8d691f",
"command_line": "",
"parent_process_id": "39a6cb9d-4dd7-4c44-9ffd-d8ee9561a1a3"
}
I'm trying to pull the events without a subsearch, where I'm looking for a process that has file_name=cmd.exe and a parent process with the file_name=java.exe; In the above events, you see java.exe has two child process (other.exe and cmd.exe) and then a completely unrelated process called 'blah.exe'. I'd like to just return cmd.exe (but only if the parent_process_id matches the process_id of another event with a file_name=java.exe)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @spohara,
your question looks close to this one: https://answers.splunk.com/answers/671770/getting-results-from-multiple-searches-without-app.html
If you adapt the answer to your case, this will solve it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't get the expected result. It matches where all processes have a specific parent. A single process can have multiple children. I'm looking for a specific child process name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give us some example events and show which ones match with which to get your result set. I don't get it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did give some example events and which matches, but to clarify.. out of the above, only one event matches (the even with file_name cmd.exe)
As a joined search I use the following:
file_name=java.exe | join max=0 process_id [search file_name=cmd.exe | eval process_id=parent_process_id]
it just seems to take too long as a join.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
