5/4/2023 0 Comments Splunk subsearchNow, what if you want to discard the values for “ Employee_Name” for “ employee_info_sub” from the result set i.e. You can also know about : Usage Of Splunk Commands : Join If you will compare the above image with the image: 1 and image: 2, you can easily understand, we successfully searched for the values of “ Employee_Name” field of “ employee_info_sub” index in “ employee_info_main” index. “ employee_info_main”, in square brackets as a subsearch, we have mentioned the query from “ employee_info_sub” index. “ employee_info_sub” inside the 1st index i.e. Then, we have used the “ search” command because the result from sub search we want to search from the result set of the primary query.Īs, we wanted to search for the values of “ Employee Name” of the 2nd index i.e. Here, our primary search is, index=employee_info_main | table Employee_Name | dedup Employee_NameĪnd here, our subsearch is, Īs, you can see in the primary query, first we have retrieved the unique values for “ Employee_Name” field in tabular format from index “ employee_info_main” using “ table” and “ dedup” command. So, let’s see,Įxample: 1 index=employee_info_main | table Employee_Name | dedup Employee_Name | search “ employee_info_main”, you can use subsearch to do that. “employee_info_sub” inside the 1st index i.e. Now, if you want to search for the values of “ Employee Name” field of the 2nd index i.e. Now, as you can see the field “ Employee_Name” contains names of 3 employees. index=employee_info_sub | table Employee_Name | dedup Employee_Name Please, see the below query to see the data for index “ employee_info_sub”, which we will use as the “ subsearch”. Now, as you can see the field “ Employee_Name” contains names of 5 employees. index=employee_info_main | table Employee_Name | dedup Employee_Name Please, see the below query to see the data for index “ employee_info_main” which we will use as “Primary Search”. “ Employee_Name”, which contains the names of some employees. Here, we will use two indexes, 1) employee_info_main 2) employee_info_subĪnd from these two indexes, we are going to take a common field i.e. Hence mySource1 is used.1) A subsearch is a search that is used to reduce the set of events from your result set.Ģ) The result of the subsearch is used as an argument to the primary or outer search.ģ) Subsearches must be enclosed in square brackets and must start with a Generating command (eg: search, makeresults etc.).If you want to know more about generating commands, click here.įirst, let me show you the data we are going to use to show you the usage of “ subsearches”. How do I manage to return the data and get the desired table of results?ĮDIT: Forgot to mention, I also need to show users who have a role (source1) but have never logged in (not found in source2). I tried running both searches seperately, and when I do, they return the data I need: index="myIndex" source="mySource2" | rex "User:(?\w ) The user is authenticated and logged in."īut this does not return any data. "The user is authenticated and logged in." I later tried the following: index="myIndex" source="mySource2" Also, I did not fetch the name from the second search. "User:myUserID The user is authenticated and logged in."īut I found out that I the second search, returns data to the first search. The purpose of the table is to show the user id's (found in mySource1) and show the latest login event (found in mySource2) so that you can tell when each user last logged in. Where USER is column 1 and LATEST column 2. Walt, 13:49:57,654 User:walt The user is authenticated and logged in Skylar, 13:49:57,654 User:skylar The user is authenticated and logged in. Hank, 13:49:57,654 User:hank The user is authenticated and logged in. ![]() In Splunk I need a dashboard, with a statisticstable, looking like this: USER, LATEST 13:49:57,654 User:hank The user is authenticated and logged in. 13:49:57,654 User:walt The user is authenticated and logged in. 13:49:57,654 User:skylar The user is authenticated and logged in. ![]() MySource2 example 13:49:57,654 User:hank The user is authenticated and logged in. 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: administrator 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: administrator 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: operator ![]() 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: operator MySource1 example 17:00:01 - Naam van gebruiker: hank - Rol van gebruiker: operator
0 Comments
Leave a Reply. |