topic Re: How to create a subsearch with multiple results? in Splunk Search

How to create a subsearch with multiple results?

trucall — Wed, 12 Jun 2019 07:07:45 GMT

Hi,

I've a question about sub search, I'm probably misunderstanding docs and other posts.

This is my search:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)"| rename objectId as search  ] stringFilter

The subsearch, executed as a normal search, produce many results, so many objectId.

My expectations is that the final search is like this below:

index=MyIndex (objectId-1 OR objectId-2 OR objectId-3)  stringFilter

The behavior is different, only one objectId is used to search and the final search is similar to this:

index=MyIndex (objectId-1)  stringFilter

I don't understand why and what I need to change in order to process all objects of subsearch resultset.

Thanks for any kind help

Marcello

Re: How to create a subsearch with multiple results?

FrankVl — Wed, 12 Jun 2019 12:53:00 GMT

Probably because your subsearch does not have any transforming commands. I think the following should work:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?<objectId>[A-Z0-9]+)"| stats values(objectId) as search | eval search = mvjoin(search," OR ") ] stringFilter

Note: if you make sure objectId is properly extracted (so you don't need rex for it), you can simply do:

index=MyIndex [ search index=MyIndex host=as-x | fields objectId | dedup objectId | format ] stringFilter

Re: How to create a subsearch with multiple results?

woodcock — Wed, 12 Jun 2019 22:11:39 GMT

You are taking over too much control and doing it all wrong. Start with this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g"

See what this produces and then switch to this:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g" ] stringFilter

Re: How to create a subsearch with multiple results?

FrankVl — Thu, 13 Jun 2019 07:07:41 GMT

Using format will result in the subsearch returning something like (objectId="123" OR objectId="456"), which wont work given that objectId apparently is not an extracted field. He wants the subsearch to only return the values, to then work as a string filter.

Re: How to create a subsearch with multiple results?

woodcock — Thu, 13 Jun 2019 21:21:40 GMT

Ah, based on this clarification, I have modified my original answer above.

Re: How to create a subsearch with multiple results?

FrankVl — Fri, 14 Jun 2019 06:28:07 GMT

I trust you meant | rex field=search mode=sed "s/objectId=//g" 🙂

Re: How to create a subsearch with multiple results?

woodcock — Fri, 14 Jun 2019 14:56:26 GMT

ARGH! Yes, you are right (I edited and fixed that, too). I was using a run-anywhere search to test but forgot to convert that part when I posted the answer. Thank you for grading my papers.

Re: How to create a subsearch with multiple results?

woodcock — Sat, 15 Jun 2019 22:20:31 GMT

Yo mcfly, @trucall, we've got answers for you, did anything work?