topic Re: How could we use one search results in another search using subsearch query? in Splunk Search

How could we use one search results in another search using subsearch query?

pinpra — Tue, 18 Jul 2017 11:23:16 GMT

Query :

index="heroku_secure_uat" host="messaging-service-uat.herokuapp.com" [search event_name=email OR event |where NOT LIKE(person_id,"%WF%")| stats dc(person_id)]| rex "(?\{.*)" | spath input=json_data

Result :

172cd733-beec-490f-8f53-dbe68166bb33
3874287d5dfb468187f5a42251214d15
40c5778a-152c-40db-bf85-24c8aec427de
5678c76c-e689-4712-a8fb-85e5e0c5097f
618bd8ea-59dc-485f-a0a3-908adb804443
6618bb54-73fd-4d13-b2e2-72e18171a904
6f196d9397a64b0cb62196efd1d82309
724ad888-cbd4-483f-91b3-01a95809ad7b
9bd90012-f4e8-4bc2-b149-d63219aab343
9e9f0ec6-899e-43a8-b1e3-ca158516b6fe
WF-172cd733-beec-490f-8f53-dbe68166bb33\u0026token=-YIg4amu7FD76T2XGfd2-w
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=CycW6z87l5wFBjPlSQ2anQ
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=fqlqHuY284bpCU180o3jLw
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=hDLTqEqQwAabP5bXaqajJA
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=jU7sWgFiyNJ6DeYFp5kkhA
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=ta-NduNrMOUGqjbPUMbACA
WF-bdd32edb-7ec0-43ca-9457-2fe6f74c294a\u0026token=aE1qDEBT0AE0tneHlyHecA
b800274d-d134-48d9-973f-0c9361a615a6
bdd32edb-7ec0-43ca-9457-2fe6f74c294a

I need to use this above result again in same query to get those records count which are not starting with "WF-".

Please suggest .

Any help will be appreciated.

Re: How could we use one search results in another search using subsearch query?

cmerriman — Tue, 18 Jul 2017 11:39:41 GMT

so you want to add these results into a subquery or you want to filter out the WF- results and add the others to the subquery? what are you adding the subquery to? you can just add |format to the end of your query above and encase the whole search in square brackets and it will format it how you need.

index=newIndex [search index="heroku_secure_uat" host="messaging-service-uat.herokuapp.com" [search event_name=email OR event |where NOT LIKE(person_id,"%=%")| stats dc(person_id)]| rex "(?{.*)" | spath input=json_data|format]

Re: How could we use one search results in another search using subsearch query?

pinpra — Tue, 18 Jul 2017 12:17:08 GMT

@cmerriman
I want to filter out those results which are not starting from "WF-".
Thanks.

Re: How could we use one search results in another search using subsearch query?

pinpra — Tue, 18 Jul 2017 12:34:25 GMT

@cmerriman
When I run your query . It gives below error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?{.*)': Regex: unrecognized character after (? or (?-

Regards.

Re: How could we use one search results in another search using subsearch query?

somesoni2 — Tue, 18 Jul 2017 14:21:57 GMT

Try like this

your current search
| where NOT like(YourFieldName,"WF-%")
| stats count

Re: How could we use one search results in another search using subsearch query?

pinpra — Tue, 18 Jul 2017 17:38:07 GMT

@somesoni2
I have updated my post.

I have got above result by executing posted query and now I need to filter those records which are not starting with "WF-".

It should be like subquery but not sure how to do this.

Re: How could we use one search results in another search using subsearch query?

somesoni2 — Tue, 18 Jul 2017 18:33:26 GMT

If you just want to filter records which do not start with "WF-" (assuming that's a field whose value is used for filtering), then you can just include the where clause from my answer. Be sure to update the YourFieldName with actual field name. Since you're filtering within same resultset, you don't need a subsearch. If this is not the case may be explain more, may be some sudo code depicting your requirement.

Re: How could we use one search results in another search using subsearch query?

DalJeanis — Tue, 18 Jul 2017 20:55:55 GMT

It's not a subquery, it's just a simple filter on your existing results. somesoni2 gave you one way. You would just add those last two lines on the end of your query, changing YourFieldName to match the actual field name.

One thing - please mark your code when you post it, for instance with the code button 101 010, so that the interface will not strip out html-like parts of your code.

However, I really don't believe that code got that result. It should be more like this...

 index="heroku_secure_uat" host="messaging-service-uat.herokuapp.com" 
 event_name=email OR event  
 | rex "(?<json_data>{.*)"
 | spath input=json_data
 | where NOT like(person_id,"%WF%")
 | table person_id

...and there's something vaguely wrong with the second line event_name=email OR event