- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why are my nested subsearches failing?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm running into a problem where if I nest subsearches too far, I start to return no results. I'm unable to find a published limit of nesting, though. Is there one?
The search I'm trying to run can be paraphrased like so:
sourcetype=weblogs status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | chart count over ip by status
In plainspeak: I have a firewall listing of IP addresses that have been blocked and I put that into a table. I use that table to find web requests that have a status=410 and put all those IP addresses into a table. I then use that table to find web requests that have a status=200 and put all those IP addresses into a table.
This table now has the IP addresses of people who have been blocked by the firewall and also seen status=200 AND status=456 at some point in the last 3 days. And this works (returning about 40 addresses) until I put that final wrapper on it to show the counts by status, at which point I get no results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you just try adding a table/fields with status and ip before the chart command and run the search without chart to make sure that status and ip are listed and then add the chart command. Something like below.
sourcetype=weblogs status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | fields status,ip| chart count over ip by status
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you just try adding a table/fields with status and ip before the chart command and run the search without chart to make sure that status and ip are listed and then add the chart command. Something like below.
sourcetype=weblogs status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | fields status,ip| chart count over ip by status
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sure I understand why that fixed it, but it did.
Thanks!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
