The important task is correlation. basically equivalent of set operation [a+ (b-a)]. In the perfect world the top half does'tre-run and the second tstat re-use the 1st half's data from the original run. TPID=* CALFileRequest. Hi, It's been more than a week that I am trying to display the difference between two search results in one field using the "| set diff" command diff. Union events from multiple datasets. But basically I have relatively complex searches that I don't want to manage in 1 report with joins or appends. Field 2 is only present in index 2. type . 06-28-2011 07:40 PM. Join Now! Splunk Monthly Customer Advisory Boards! Dungeons & Data Monsters: 3. Subscribe to RSS Feed;. Description: Indicates the type of join to perform. I suspect that @somesoni2 will slow down once he crosses 100K but I though that he would slow down when he solidly grabbed the #1 slot and he didn't. see below: I have two sourcetypes: (index=vulnerability sourcetype=json:id) with the following fields: computername secondaryid id (sourcetype="json:impacts") with the following fields: c_id cw_id bs isThanks Kristian, Is it possible to use transaction on two fields, eg "hosts" & "hosts2" whereby it is the data in both fields which is the same, and it is that which I wish to correlate? Also, Both searches are different indexesI'd like to join two searches and run some stats to group the combined result to see how many users change/update browsers how often. For this reason I was thinking to run the 2nd search with a dynamic field (latest) which will be calculated in the main search and it will search in the DNS only up to the last time this user used this IP address. The left-side dataset is the set of results from a search that is piped into the join command. Subscribe to Support the channel: help? Message me on LinkedIn: 06-19-2019 08:53 AM. csv. Index=A sourcetype=accesslogs -->This search has a SignatureProcessId ( which is same as processId in the search1) and also it has userId. I have two splunk queries and both have one common field with different values in each query. Below is an example of two different searches that I am joining so I can get the following outcome after creating extracted fields1. | stats values (email) AS email by username. Step 3: Filter the search using “where temp_value =0” and filter out all the results of the match between the two. 51 1 1 3 answers. . Eg: | join fieldA fieldB type=outer - See join on docs. search. The company is likely to record a top-line expansion year over year, driven by growing. com/answers/526074/… – Tsakiroglou Fotis Aug 17, 2018 at 16:03 Add a comment 2 Answers Sorted by: 8 Like skoelpin said, I would. 1. The information in externalId and _id are the same. . pid = R. Can you please add sample data from two index that are to be correlated? Also, do you know whether the field extractions for indexA and indexB been created by you/your team or are they built. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered. SSN=*. 0. Hi , I want to join two searches without using Join command ? I don't want to use join command for optimization issue. BrowseHi ccloutralex, if you read the most answers about join, you find that join is a command to use only when it isn't possible to use a different approach because has two problems: it's a slow command, there the limit of 50,000 results in subsearches. Let’s take an example: we have two different datasets. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. BrowseI want to join those two searches so the results from search 1 are compared against a list of members from search 2. Generating commands fetch information from the datasets, without any transformations. Try this! search A| fields userid, action, IP| join client_IP as IP [search b | fields sendername, client_IP] OR There is also a way to use STATS. | set diff [ search index=idx2 sourcetype=src | dedup A ] [search index=idx1 sourcetype=src | dedup A ] | stats count BY index A | table index A. e. Do you have an example event that sets duration toHi , Thanks for your answer but it returns wrong results. 1) You can use join with an "outer" search and a subsearch: first_search | join host [ second_search ] 2) But you probably don't have to do them as separate searches. Join? 2kGomuGomu • 2 mo. Path Finder 10-18-2020 11:13 PM. search 1 -> index=myIndex sourcetype=st1 field_1=* search 2 -> index=myIndex sourcetype=st2. I can create the lookup for one of the queries and correlate the matching field values in the second query but trying to do without lookup within. g. In general is there any way to dynamically manipulate from the main search the time range (earliest latest) that the 2nd search will. CC {}, and ExchangeMetaData. . 1. Communicator 02-24-2016 01:48 PM. If you want to coorelate between both indexes, you can use the search below to get you started. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. The second part of the output table (start1, end1, Acct_Session_Id, NAS_IP_Address, User_Name) returns identical rows, i. 1) index=symantec_sep sourcetype="symantec:ep:scan:file" | dedup dest |table dest | sort dest. So at the end I filter the results where the two times are within a range of 10 minutes. index=sendmail earliest="@d-2h" latest="@d+10h" | append [ search index=sendmail earliest="@d+10h". It is essentially impossible at this point. and Field 1 is common in . P lotting two time-series in a single chart is a question often asked by many of our customers and Answers users. 6 hours ago. Looks like a parsing problem. There are often several ways to get the same result in Splunk - some more performant than others - which is useful in large data sets. The Great Resilience Quest: Leaderboard 7. the same set of values repeated 9 times. The event time from both searches occurs within 20 seconds of each other. Change status to statsCode and you should be good to gook . 0をベースに記載; subsearches (join, append, inputlookupの組み合わせ利用) デフォルトのイベント件数の制限 サブサーチの結果は10,000件まで!I ended up running a daily search, like below (checks the entire keystore for the latest date within 30days and does a stats count). d,e,fSolved: I have two searches: search-A gives values like type status hostname id port Size base cache OFF host-1 17 NA NA NA NA ON host-1 6. ) and that string will be appended to the main. for example, search 1 field header is, a,b,c,d. You also want to change the original stats output to be closer to the illustrated mail se. For instance: | appendcols [search app="atlas"Splunk Search cancel. Security & the Enterprise; DevOps &. By Splunk January 15, 2013. For Type= 101 I don't have fields "Amount" and "Currency", so I'm extracting them through Regex in separate query. Please read the complete question. Hence not able to make time comparison. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. pid <right-dataset> This joins the source data from the search pipeline with the right-side dataset. Optionally. The "inner" query is called a 'subsearch' and the "outer" query is called the "main search". where (isnotnull) I have found just say Field=* (that removes any null records from the results. You can join on as many fields as you want But doing it on latest , in your example, is probably not what you really mean - though it may be What are COVID-19 Response SplunkBase Developers DocumentationMy search 1 gives the page load time (response_time) of the requested content but it doesn't tell you if it was logged out page or logged in page. . From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. 17 - 8. I have a list of servers, osname & version and a lookup with products, versions and end-of-support dates. . If the two searches joined with OR add up to 1728, event count is correct. and use the last where condition to take only the ones present in all tables. 20 t1 user1 30. You can also combine a search result set to itself using the selfjoin command. Learn how to use the join command in Splunk to bring together two matching fields from two different indexes. Step 2: Use the join command to add in the IP addresses from the blacklist, including every IP address that matches. 30. left join with field 1 from index2 if field1!=" " otherwise left join with field 2 from index 2. . d,e,f Solved: I have two searches: search-A gives values like type status hostname id port Size base cache OFF host-1 17 NA NA NA NA ON host-1 6 SplunkBase Developers Documentation Browse Simplicity is derived from reducing the two searches to a single searches. dwaddle. Bye. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User;. P. client_ip What can be the equivalent query in Splunk if index is considered a table ? below is the actual scenario. The multisearch command is a generating command that runs multiple streaming searches at the same time. You can use the union command at the beginning of your search to combine two datasets or later in your search where you can combine the incoming search results with a dataset. The first search uses a custom Python script: The exact where expression may need to be tweaked depending on the content of that field and if you're trying an exact match or a CIDR match. conf to use the new index for security source types. ip,Table2. I have to agree with joelshprentz that your timeranges are somewhat unclear. a. 1) You can use join with an "outer" search and a subsearch: first_search | join host [ second_search ] 2) But you probably don't have to do them as separate searches. Hi @jerrytao, consider your Search1 with table result -> * A | B * and your Search2 with table result -> A | C | D , try this below to join COVID-19 Response SplunkBase Developers Documentation BrowseSo, I figured that if I use eval to rename the field in the first search, it should match the corresponding field in the second search when using a join. Then I try to check if the user displayed has administration rights by appending the subsearch displayed below. This command requires at least two subsearches and allows only streaming operations in each subsearch. 1. Community AnnouncementsCOVID-19 Response SplunkBase Developers Documentation. source="events" | join query. There's your problem - you have no latest field in your subsearch. So I have saved 3 searches, each of the 3 searches product the same fields, but I would like to join them together referencing the. We can join two searches with no command fields by creating a field alias so both the externalid and _id can map per a. You can use the union command at the beginning of your search to combine two datasets or later in your search where you can combine the incoming search results with a dataset. You can use the join command to combine the results of a main search (left-side dataset) with the results of either another dataset or a subsearch (right-side dataset). The following table. 0 Karma. Option 1: Use combined search to calculate percent and display results using tokens in two different panels. BCC {}; the stats function group all of their values into a multivalue field "values (domain)", grouped by Sender. Needs some updating probably. 0. at first you have to check how many results you have in the second query because there's a limit of 50,000 results in subqueries, so maybe this is the problem. BCC {}; the stats function group all of their values into a multivalue field "values (domain)", grouped by Sender. . ip=table2. Each of these has its own set of _time values. . Example: Query 1: retrieve IPS alerts host=ips ip_src=10. And I've been through the docs. index = "windows" sourcetyp. Hi I have a very large base search. The three rex commands extract the desired fields then the stats command puts the^ this guy wants to catch up to somesoni so badly :-D. Phantom) >> Enterprise Security >> Splunk Enterprise or Cloud for Security >> Observability >> Or Learn More in Our Blog >>usually the people that loves join are people that comes from SQL, but Splunk isn't a DB, it's a search engine, so you should try to think in a different way. . Security & the Enterprise; DevOps &. The left-side dataset is the set of results from a search that is piped into the join command. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. 06-19-2019 08:53 AM. So I need to join two searches on the basis of a common field called uniqueID. I tried using coalesce but no luck. When Joined X 8 X 11 Y 9 Y 14. Description. (index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 vendor_action=sinkhole (action=dropped OR action=blocked)) OR (ind. . I have a very large base search. I have two source types, one (A) has Active Directory information, user id, full name, department. Description. Because of this, you might hear us refer to two types of searches: Raw event searches. . Try append, instead. So I have 2 queries, one is client logs and another server logs query. Event 1 is data related to sudo authentication success logs which host and user name data . Full of tokens that can be driven from the user dashboard. Optionally specifies the exact fields to join on. I have two spl giving right result when executing separately . From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. 1. . Finally, delete the column you don’t need with field - <name> and combine the lines. Your query should work, with some minor tweaks. Splunk is an amazing tool, but in some ways it is surprisingly limited. I currently try to do a splunk auditing by searching which user logged into the system using some sort of useragent and so on. Turn on suggestions. your base search fetching both type of events | eval host_name=coalesce(mail_srv,srv_name)Solved: Hi, I wonder whether someone may be able to help me please. eg. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the sysmon log. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. sourcetype="srcType1" OR sourcetype="srcType2" commonField=* | stats count as eventcount by commonField | search eventcount>1. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. (| table host DisplayName DisplayVersion DesktopGroupName) host = MachineName, that fields contains same values, in same format. dwaddle. The following are examples for using the SPL2 union command. Syntax: type=inner | outer | left. If that is the case, then you can try as. second search. So you do not want to "combine" results of the two queries into one, just to apply some additional conditions to the o365 search, conditions used in the mail search that haven't been applied in the o365 search. I've been trying to use that fact to join the results. I have two lookup tables created by a search with outputlookup command ,as: table_1. This is a run anywhere example of how join can be done. . search. e. | join type=left client_ip [search index=xxxx sourcetype. The results will be formatted into something like (employid=123 OR employid=456 OR. Example: correlationId: 80005e83861c03b7. | savedsearch. 1 KB. . There need to be a common field between those two type of events. index=aws-prd-01 application. One of the datasets can be a result set that is then piped into the union command and merged with a second dataset. If they are in different indexes use index="test" OR index="test2" OR index="test3". BrowseMonitoring Splunk; Using Splunk; Splunk Search; Reporting; Alerting; Dashboards & Visualizations; Splunk Development; Building for the Splunk Platform; Splunk Platform Products; Splunk Enterprise; Splunk Cloud Platform; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions;Hi rajatsinghbagga, too good! if this answer solves your problems, please, accept and/ot upvote it. I mean, I agree, you should not downvote an answer that works for some versions but not for others. Having high number of results in first search is perfectly fine, but the problem is with second search which is also called sub search. COVID-19 Response SplunkBase Developers Documentation. I dont know if this is causing an issue but there could be4. Index name is same for both the searches but i was using different aggregate functions with the search . Join datasets on fields that have the same name. In your case you will just have the third search with two searches appended together to set the tokens. You can. 1 Karma. conf talk; I have done this a lot us stats as stated. 344 PM p1. Outer Join (Left) Above example show the structure of the join command works. Generating commands fetch information from the datasets, without any transformations. BrowseCOVID-19 Response SplunkBase Developers Documentation. Security & the Enterprise; DevOps &. CC{}, and ExchangeMetaData. (sourcetype=foo OR sourcetype=bar OR sourcetype=xyz). The reasons to avoid join are essentially two. You can use the join command to combine the results of a main search (left-side dataset) with the results of either another dataset or a subsearch (right-side dataset). The issue is the second tstats gets updated with a token and the whole search will re-run. Then check the type of event (or index name) and initialise required columns. Join two searches together and create a table dpanych. I am trying to list failed jobs during an outage with respect to serverIP . Thank you gcusello, First query -- All Good , Second query -- All Good , However in the Third query which is the combination of First and SecondThanks Woodcock, I am not sure from where are you getting the value for Runtime in the above query. | tstats `summariesonly` count FROM datamodel="Web" WHERE index=XXXX sourcetype=XXXXX byYou will need a lookup table…or sub search (not recommended) Created saved search on cron job for search 1 and 2 that populates lookup table. a splunk join works a lot like a sql join. hi only those matching the policy will show for o365. . ago I second the. Show us 2 samples data sets and the expected output. One thing that is missing is an index name in the base search. The above discussion explains the first line of Martin's search. SplunkTrust. The subsearch produces no difference field, so the join will not work. So to use multisearch correctly, you should probably always define earliest and. It then uses values() to pass. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. ) and that string will be appended to the main search. Consider two tables user-info and some-hits user-info name ipaddress time user1 20. Splunk Search cancel. . “foo OR bar. I'm new to Splunk and need some help with the following: authIndexValue [] is an array that will hold at least one value. HRBDT status=1 | dedup filename |rename filename as Daily ]| stats count. You want that the searchA and searchB return a single line per field1, otherwise the join between the 2 lists will be wrong. But, if you cannot work out any other way of beating this, the append search command might work for you. I have then set the second search which. Splunk ® Enterprise Search Manual Types of searches Download topic as PDF Types of searches As you search, you will begin to recognize patterns and identify more. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. Turn on suggestions. Posted on 17th November 2023. Fields: search 1 -> externalId search 2 -> _id. Following is a run anywhere example using Splunk's _internal index:DO NOT USE the transaction command; try this: index=process_log AND ((MSGNUM="START-PROCESS" OR MSGNUM="END-PROCESS") ANDHi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. |inputlookup COVID-19 Response SplunkBase Developers Documentation BrowseHi, I hope you're at 6. Please hep in framing the search . index=_internal earliest=-4h | stats count by index sourcetype | join type=inner index [search index=_internal source=*metrics. But if the search Query 2 LogonIP<20 then, I want to join the result with Query 1 and get the result. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Splunk Data Fabric Search; Splunk Premium Solutions. index=ticket. So at first check the number of results in subsear. ”. You're essentially combining the results of two searches on some common field between the two data sets. Reply. ip=table2. EnIP = r. Combine the results from a search with. join does indeed have the ability to match on multiple fields and in either inner or outer modes. Join 2 searches to enrich data from other index. See Initiating subsearches with search commands in the Splunk Cloud Platform Search Manual. Inner join: In case of inner join it will bring only the common. COVID-19 Response SplunkBase Developers Documentation. My goal is to win the karma contest (if it ever starts) and to cross 50K. Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline. The search then uses the serverName field to join the information with information from the /services/server/info REST endpoint. . Define different settings for the security index. . Merges the results from two or more datasets into one dataset. index=A product=inA | stats count (UniqueID) as Requests | appendcols [search index=B order="BuyProduct" | stats count (UniqueID) as OrdersPlaced]Check to see whether they have logged on in the last 12 months, In addition add the date on each user row when the account was created/amended. The left-side dataset is the set of results from a search that is piped into the join. At the end I just want to displ. The issue is the second tstats gets updated with a token and the whole search will re-run. BrowseI am trying to join 2 splunk queries. both shows the workstations in environment (1st named as dest from symantec sep) & (2nd is named. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. I have a problem to join two result. name=domestic-batch context=BATCH action=SEND_EMAIL (status=STARTED OR status="NOT RUN" OR. Summarize your search results into a report, whether tabular or other visualization format. argument. Enter them into the search bar provided, including the Boolean operator AND between them. I'm using the following searches: Search 1 - "EI Auth" Auth - index="main" auditSource=*auth* auditType=LoginEntitlements detail. . New Member 06-02-2014 01:03 AM. join Multisearch Union OR boolean operator The most common use of the OR operator is to find multiple values in event data, for example, “foo OR bar. This approach is much faster than the previous (using Job Inspector). I have to agree with joelshprentz that your timeranges are somewhat unclear. For example, I am seeing time mismatches in the _time value between chart columns (some being incorrect). From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. So version 4 of a certain OS has it's own out-of-support date, version 5 another supportdate. I appreciate your response! Unfortunately that search does not work. COVID-19 Response SplunkBase Developers Documentation. Table 1 userid, action, IP Table2 sendername, action, client_IP Query : select Table1. Jun 22 COVID-19 Response SplunkBase Developers DocumentationI think I understand now. Examples of streaming searches include searches with the following commands: search, eval, where, fields, and rex. SplunkTrust. index=A product=inA | stats count (UniqueID) as Requests | appendcols [search index=B order="BuyProduct" | stats count (UniqueID) as OrdersPlaced] Check to see whether they have logged on in the last 12 months, In addition add the date on each user row when the account was created/amended. I want to join two indexes and get a result. If you are joining two large datasets, the join command can consume a lot of resources. . However, it seems to be impossible and very difficult. I also tried {} with no luck. COVID-19 Response SplunkBase Developers DocumentationAh sorry in my test search I had just status. Try append, instead. Solution. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. The following example appends the current results of the main search with the tabular results of errors from the. To {}, ExchangeMetaData. If I just pass only the client_ip everything works fine, but I want to manipulate the time range of the subsearch. Answers. I need to combine both the queries and bring out the common values of the matching field in the result. Then you take only the results from both the tables (the first where condition). yesterday. If no fields are specified, all fields that are shared by both result sets will be used. Since this field is same for hits_table and user_history, how cna i specify that i want to read the _time from hits_table and not user_history. . I'm trying to join 2 lookup tables. A subsearch can be initiated through a search command such as the union command. I am writing a splunk query to find out top exceptions that are impacting client. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. You also want to change the original stats output to be closer to the illustrated mail search. sorry , I am doing this for the first time hence so many questions. . With this search, I can get several row data with different methods in the field ul-log-data. index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 vendor_action=sinkhole (action=dropped OR. I have used append to merge these results but i am not happy with the results. I know that this is a really poor solution, but I find joins and time related operations quite. But I don't know how to process your command with other filters. How to join 2 indexes. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. 06-23-2017 02:27 AM. In addition, transaction and join aren't performant commands, so it's better to replace with stats command, somethimes like this: First Search: I need to join two searches on a common field in which I want a value of the left search matches all the values of the right search. Hi, We have two kind of logs for our system: First one logs all the user sessions with user name, src ip, dst ip, and login/logout time. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. . EnIP -- need in second row after stats at the end of search. For this reason I was thinking to run the 2nd search with a dynamic field (latest) which will be calculated in the main search and it will search in the DNS only up to the last time this user used this IP address. The Great Resilience Quest: Leaderboard 7. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. g. Hey all, this one has be stumped. 30. 1. It sounds like you're looking for a subsearch. However, in this case the answer was not "here's an answer that works for version X" or "you can't do this in version X and below" (in which case downvoting would have been incorrect) but the answer was "there is not a solution to this problem. I am not sure if a multi-search is the best approach, or using append vs join vs subsearch. BrowserichgallowaySplunkTrust. I currently try to do a splunk auditing by searching which user logged into the system using some sort of useragent and so on. The event time from both searches occurs within 20 seconds of each other. If you want to learn more about this you can go through this blog Splunk Search Commands. ravi sankar. You can use the join command to combine the results of a main search (left-side dataset) with the results of either another dataset or a subsearch (right-side dataset). Description The multisearch command is a generating command that runs multiple streaming searches at the same time. I tried the below query but it results 0 events: Index=A sourcetype=signlogs outcome=failure. TPID=* CALFileRequest. I also need to find the total hits for all the matched ipaddress and time event. Here is how I would go about it; search verbose to try an get to a single record of source you are looking to join. I want to join both search queries to get complete resu. The join command is a centralized streaming command, which means that rows are processed one by one. . The results will be formatted into something like (employid=123 OR employid=456 OR. It is built of 2 tstat commands doing a join. Description: The traditional join command joins the results from the main results pipeline with the search pipeline results provided as the last argument. In general is there any way to dynamically manipulate from the main search the time range (earliest latest) that the 2nd search will. The first part of the output table (start, end connId, clientIP) gives 9 lines from Search 1. Please check the comment section of the questionboth the above queries work individually but when joined as below. The difference between an inner and a left (or outer) join is how the events are treated in the main search that do not match any of the events in the subsearch. I have two searches which have a common field say, "host" in two events (one from each search). and Field 1 is common in . Auto-suggest helps you quickly narrow down your search results by suggesting possible. 0, the Splunk SOAR team has been hard at work implementing new. 17 - 8. I do not know what the protocol part comes from. These commands allow Splunk analysts to. 20. message = "STORE*") and (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) - all within the second search. This tells the program to find any event that contains either word. Subsearches are enclosed in square brackets [] and are always executed first. Each query runs fine by itself, but joining them fails. My 2nd search gives me the events which will only come in case of Logged in customer. ip,Table2.