topic Re: Subsearch to only return multiple field values in Splunk Search

Subsearch to only return multiple field values

SailorManDan — Sat, 14 Aug 2021 02:36:31 GMT

Hello,

I am trying to only return the values of certain fields to be used in a subsearch. The problem I'm encountering, is that I have multiple values from different fields which I want to extract.

I have 4 fields - src, src_port, dst, dst_port

If I table out the results and use format, my search reads as such:

"src"="<IP>" AND "src_port"="<port>" AND "dst"="<IP>" AND "dst_port"="<port>"

What I want is only the values:

"<ip>" AND "<port>" AND "<ip>" AND "<port>"

I've tried using:
return 10 $src $src_port $dst $dst_port
which gives me the desired output, but encases the entire output in one set of quotations and not individually as per the same output that would be created using the table command

I've also tried using:

eval query = src. " " .src_port. " " .dst. " " .dst_port

which gets me closer, but then outputs each four values encased within the quotations.

Can anyone help me out with the desired output?

Regards,

Dan

Re: Subsearch to only return multiple field values

dwaddle — Sat, 14 Aug 2021 15:03:21 GMT

The "query" field is special. Any field named "query" gets its field name stripped going through format. Try something like this:

The last 3 lines are the relevant part, makeresults is just there to help me mock up some stuff.

Re: Subsearch to only return multiple field values

SailorManDan — Sun, 15 Aug 2021 21:06:30 GMT

@dwaddle

That's got it!

This is precisely what I was going for.

Thanks for you help.

Re: Subsearch to only return multiple field values

dwaddle — Mon, 16 Aug 2021 22:43:28 GMT

groovy! please accept as solution?