https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375999#M110468 <P>Can you convert to answer?</P> Mon, 07 May 2018 20:33:04 GMT dbcase 2018-05-07T20:33:04Z https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375995#M110464 <P>Hi,</P> <P>I have this query, what I'm trying to do is pull the mac address out of events with a 405 error dedup them then put them in a table. Then taking that table search the same index and match on mac address and pull out the external account id and finally put the mac address and external account id in a table. I can break apart the query and it seems to work, just not working when I put it together. Thoughts?</P> <PRE><CODE>index=blah source="/var/nfs/SAT_SplunkLogs/wscvr/blah_portal*" [search index=blah source="/var/nfs/SAT_SplunkLogs/wscvr/blah_portal*" 405|rex "deviceregistry.(?&lt;mac&gt;[a-fA-F0-9\.:-]{12,17})"|dedup mac|table mac] |rex ".macAddress.:.(?&lt;mac&gt;[a-fA-F0-9\.:-]{12,17})"|rex "externalAccountId...(?&lt;extref&gt;\d+)"|table extref|where len(extref)&lt;10|table mac extref </CODE></PRE> Mon, 07 May 2018 19:59:35 GMT https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375995#M110464 dbcase 2018-05-07T19:59:35Z https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375996#M110465 <P>failed attempt #2</P> <PRE><CODE>index=blah source="/var/nfs/SAT_SplunkLogs/wscvr/blah_portal*" [search index=blah source="/var/nfs/SAT_SplunkLogs/wscvr/blah_portal*" 405|rex "deviceregistry.(?&lt;mac&gt;[a-fA-F0-9\.:-]{12,17})"|dedup mac|table mac] |rex ".macAddress.:.(?&lt;mac&gt;[a-fA-F0-9\.:-]{12,17})"|rex "externalAccountId...(?&lt;extref&gt;\d+)"|where len(extref)&lt;10| stats list(extref) AS "External Reference", values(mac) AS "Mac Address" BY mac </CODE></PRE> Mon, 07 May 2018 20:19:47 GMT https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375996#M110465 dbcase 2018-05-07T20:19:47Z https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375997#M110466 <P>Try this</P> <PRE><CODE>index=blah source="/var/nfs/SAT_SplunkLogs/wscvr/blah_portal*"|rex ".macAddress.:.(?&lt;mac&gt;[a-fA-F0-9\.:-]{12,17})" | search [search index=blah source="/var/nfs/SAT_SplunkLogs/wscvr/blah_portal*" 405|rex "deviceregistry.(?&lt;mac&gt;[a-fA-F0-9\.:-]{12,17})"|dedup mac|table mac] |rex "externalAccountId...(?&lt;extref&gt;\d+)"|where len(extref)&lt;10| stats list(extref) AS "External Reference", values(mac) AS "Mac Address" BY mac </CODE></PRE> Mon, 07 May 2018 20:27:40 GMT https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375997#M110466 somesoni2 2018-05-07T20:27:40Z https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375998#M110467 <P>ahhhh search then [search</P> <P>Thanks Somesoni2!!!</P> Mon, 07 May 2018 20:32:29 GMT https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375998#M110467 dbcase 2018-05-07T20:32:29Z https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375999#M110468 <P>Can you convert to answer?</P> Mon, 07 May 2018 20:33:04 GMT https://community.splunk.com/t5/Splunk-Search/stuck-on-a-subsearch/m-p/375999#M110468 dbcase 2018-05-07T20:33:04Z