12/9/2023 0 Comments Splunk sub searchThat is how we use the return command in sub search to return the result based on predefined criteria dynamically. Now if you want to crosscheck then replace it and notice. Also the search clause is added to the subsearch query.Īs we see, the result contains only the events where the file size is equal to the max file size found by considering all the events, and the event day is a Sunday. That is the whole sub search is replaced by ip87.194.216.51 in the main query. Next, we add the subsearch query to the primary or the outer query by putting the subsearch inside square brackets. Splunk Subsearching - Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query. The below image shows the search and the result of this subsearch â Adding the Subsearch In this section, we are going to learn about the Sub-searching in the Splunk platform. This identifies the maximum size of the file for the time frame for which the search query is run. In that I have set it up so that it will. Furthermore you wont smack into the limits that subsearches have. I have a search that will search for events (we will refer to them as 'calls') for the last 30 days. Thus the stats search is not only simpler but also a little faster because it can do all the work in a single search pipeline. I am trying to make a subsearch that will search events from a different time period than the original (outer) search. We use the function Stat max with the field named bytes as the argument. Help with Subsearch using different time range than main search. We first create the subsearch to find the maximum file size. Then we want to find only those events where the file size is equal to the maximum size, and is a Sunday. We consider the case of finding a file from web log which has maximum byte size. 176 Required arguments subsearch Description: A secondary search added to the main search.Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch is run first. In Splunk, the primary query should return one result which can be input to the outer or the secondary query. It is similar to the concept of subquery in case of SQL language. Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |