Databases Reference
In-Depth Information
Advanced Search Examples
In this chapter, we will work through a few advanced search examples in great
detail. The examples and data shown are fictitious, but hopefully will spark some
ideas that you can apply to your own data. For a huge collection of examples and
help topics, check out Splunk answers at
http://answers.splunk.com
.
Using subsearches to find loosely related
events
The number of use cases for subsearches in the real world might be small, but for
those situations where they can be applied, subsearches can be a magic bullet. Let's
look at an example and then talk about some rules.
Subsearch
Let's start with these events:
2012-04-20 13:07:03 msgid=123456 from=mary@companyx.com
2012-04-20 13:07:04 msgid=654321 from=bobby@companyx.com
2012-04-20 13:07:05 msgid=123456 to=bob@vendor1.co.uk
2012-04-20 13:07:06 msgid=234567 from=mary@companyx.com
2012-04-20 13:07:07 msgid=234567 to=larry@vender3.org
2012-04-20 13:07:08 msgid=654321 to=bob@vendor2.co.uk
From these events, let's find out who
mary
has sent messages to. In these events,
we see that the
from
and
to
values are in different entries. We could use
stats
to pull these events together, and then filter the resulting rows, like this:
sourcetype=mail to OR from
| stats values(from) as from values(to) as to by msgid
| search from=mary@companyx.com
Search WWH ::
Custom Search