topic Searching notable events in ES to match user field in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469070#M7092 <P>Folks, I'm trying to match a field (user) from a search to see if any previous notable events ES have been generated for that use and output any match. </P> <P>Cannot seem to get any output </P> <P>Tried the below:</P> <P>index=*** sourcetype=*** category="alerttype"| rex field=fieldWithUserID "(?[^:]+$)" | search [ search <CODE>notable</CODE><BR /> | fields user dest <BR /> | format "(" "(" "OR" ")" "OR" ")"] </P> Thu, 29 Aug 2019 18:01:35 GMT marktechuk 2019-08-29T18:01:35Z Searching notable events in ES to match user field https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469070#M7092 <P>Folks, I'm trying to match a field (user) from a search to see if any previous notable events ES have been generated for that use and output any match. </P> <P>Cannot seem to get any output </P> <P>Tried the below:</P> <P>index=*** sourcetype=*** category="alerttype"| rex field=fieldWithUserID "(?[^:]+$)" | search [ search <CODE>notable</CODE><BR /> | fields user dest <BR /> | format "(" "(" "OR" ")" "OR" ")"] </P> Thu, 29 Aug 2019 18:01:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469070#M7092 marktechuk 2019-08-29T18:01:35Z Re: Searching notable events in ES to match user field https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469071#M7093 <P>I think you are using the subsearch incorrectly:</P> <P>The [subsearch] finds the users and uses that list as an OR seperated filter in the main search:</P> <PRE><CODE>index=notable [ index=YOURINDEX sourcetype=YOURSOURCETYPE category="alerttype"| rex field=fieldWithUserID "(?&lt;user&gt;[^:]+$)" | fields user | dedupe user ] </CODE></PRE> Thu, 29 Aug 2019 18:20:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469071#M7093 solarboyz1 2019-08-29T18:20:07Z Re: Searching notable events in ES to match user field https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469072#M7094 <P>great thanks, got it to work using your search. 5*</P> Tue, 03 Sep 2019 15:47:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Searching-notable-events-in-ES-to-match-user-field/m-p/469072#M7094 marktechuk 2019-09-03T15:47:35Z