I have an SQL database and a splunk to receive data, Data is imported into Splunk & SQL database at the same time I can using SQL query screening data is feasible. use SQL query: SELECT name
FROM processes
WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe'); @to4kawa I want to use the same criteria to filter data on Splunk. But I don't know what to do with search commands. "The data is .jason " → "The data is .json" Sorry, I misspelled!!! It means that the data passed into Splunk is in .json file format, and the field is splunk automatically resolved. I came up with this information ,because I'm not sure the data type of the field will affect match ? First of all, thank you very much for your help!!! Your answer can filter out the data, But the data filtered out is not the same as that of SQL query I found that the field "match" is a partial match, not a full match So the data filtering is inconsistent. Examples: Name pid parent csrss.exe 568 552 fontdrvhost.exe 564 756 lsass.exe 712 556 lsass.exe 728 572 services.exe 712 564 services.exe 716 568 services.exe 836 712 svchost.exe 712 716 wininit.exe 564 468 wininit.exe 568 472 wininit.exe 1712 592 Results of SQL query: Name pid parent csrss.exe 568 552 fontdrvhost.exe 564 756 lsass.exe 712 556 services.exe 712 564 svchost.exe 712 716 wininit.exe 564 468 wininit.exe 568 472 Use Splunk search index=processes | eventstats values(eval(if(name="services.exe",NULL,parent))) as parent_id
| table name pid parent parent_id
| where match(parent_id,pid)
| fields - parent_id Results of Splunk search: Name pid parent parent_id csrss.exe 568 552 fontdrvhost.exe 564 756 lsass.exe 712 556 lsass.exe 728 572 services.exe 712 564 services.exe 716 568 services.exe 836 712 svchost.exe 712 716 wininit.exe 564 468 wininit.exe 568 472 wininit.exe 1712 592 The filtered data results show all the data. I'm trying to change the filters as follows. index=processes | eventstats values(eval(if(name="services.exe",NULL,parent))) as parent_id
| table name pid parent parent_id
| where match(parent_id,pid)
| fields - parent_id Results of Splunk search: Name pid parent parent_id csrss.exe 568 552 552 fontdrvhost.exe 564 756 756 lsass.exe 712 556 556 services.exe 712 564 564 svchost.exe 712 716 716 wininit.exe 564 468 468 wininit.exe 568 472 472 wininit.exe 1712 592 592 The results of the screening are added one more red marked amount of data.
... View more