How do I search results that depend on the subsearch being empty?

damucka — Tue, 27 Nov 2018 15:25:32 GMT

Hello,

I have following search:

index=mlbso sourcetype=BWP_hanatraces earliest=1543313122.531 latest=1543313122.537 [search index=mlbso sourcetype=BWP_hanatraces  "ALTER SYSTEM ALTER CONFIGURATION" earliest=1543313122.531 latest=1543313122.537 | rex field=_raw "(?i)(?<=configuration is changed by )(?P<CONNECTION_ID>(?s)(.*))(?=, client ip)" | return $CONNECTION_ID]

Now, it works fine when the subsearch returns a value back to the outer search.

However when the subsearch does not return anything back (no proper value is found) then the outer search is not restricted with the subsearch and it returns too many events.

How would I achieve the whole search returning no events based on the subsearch being empty?

Kind Regards,
Kamil

Re: How do I search results that depend on the subsearch being empty?

woodcock — Wed, 19 Dec 2018 22:57:19 GMT

Like this:

index=mlbso sourcetype=BWP_hanatraces earliest=1543313122.531 latest=1543313122.537
[search index=mlbso sourcetype=BWP_hanatraces  "ALTER SYSTEM ALTER CONFIGURATION" earliest=1543313122.531 latest=1543313122.537
| rex field=_raw "(?i)(?<=configuration is changed by )(?P<CONNECTION_ID>(?s)(.*))(?=, client ip)"
| appendpipe [|makeresults | eval CONNECTION_ID="THIS_STRING_WILL_NOT_BE_IN_ANY_OF_YOUR_EVENTS"]
| head 1
| return $CONNECTION_ID]

topic Re: How do I search results that depend on the subsearch being empty? in Monitoring Splunk

How do I search results that depend on the subsearch being empty?

Re: How do I search results that depend on the subsearch being empty?