topic How to replace subsearch to achieve the same result? in Splunk Search

How to replace subsearch to achieve the same result?

peterfox1992 — Wed, 23 Mar 2022 13:30:55 GMT

Hi Folks,

I'm using a query like below. But since subsearch returns more than 10K events, I'm not getting the expected result.

Can someone advise me if there is an alternate way to replace subsearch and to achieve the expected result?

index="foo" sourcetype="xyz" user!="abc" method=POST (url="*search*aspx*" AND code!=302 AND code!=304 AND code!=401 AND code!=403 AND code!=0) [search index="foo" method_name=pqr message="*Response Time for method pqr*" | fields uniqid]
| eval hour=strftime(_time,"%H") | where hour >=7 AND hour <=19
| timechart span=1d count(eval(time_took)) as Total , count(eval(time_took<2000)) as Success, count(eval(time_took>2000)) as misses | sort by "_time" desc

Thanks in advance for the help.

Re: How to replace subsearch to achieve the same result?

ITWhisperer — Wed, 23 Mar 2022 14:35:44 GMT

Try something like this:

index="foo" (sourcetype="xyz" user!="abc" method=POST (url="*search*aspx*" AND code!=302 AND code!=304 AND code!=401 AND code!=403 AND code!=0) OR (method_name=pqr message="*Response Time for method pqr*") | eval filterer=if(searchmatch(method_name=pqr) AND searchmatch(message="*Response Time for method pqr*"),1,null()) | eventstats values(filterer) as filtered by uniqid | where filtered=1 AND isnull(filterer) | eval hour=strftime(_time,"%H") | where hour >=7 AND hour <=19 | timechart span=1d count(eval(time_took)) as Total , count(eval(time_took<2000)) as Success, count(eval(time_took>2000)) as misses | sort by "_time" desc

Re: How to replace subsearch to achieve the same result?

peterfox1992 — Wed, 23 Mar 2022 15:07:17 GMT

Thanks @ITWhisperer for the reply.

I noticed few issues while running the query.

i) Open bracket before sourcetype="xyz" May I know where should I need to close the bracket.

(sourcetype="xyz"

Also getting below error in the eval command.

Error in 'eval' command: The arguments to the 'searchmatch' function are invalid.

Thanks once again.

Re: How to replace subsearch to achieve the same result?

ITWhisperer — Wed, 23 Mar 2022 15:15:53 GMT

Try it like this

index="foo" (sourcetype="xyz" user!="abc" method=POST (url="*search*aspx*" AND code!=302 AND code!=304 AND code!=401 AND code!=403 AND code!=0)) OR (method_name=pqr message="*Response Time for method pqr*") | eval filterer=if(match(method_name,"pqr") AND match(message,"Response Time for method pqr"),1,null()) | eventstats values(filterer) as filtered by uniqid | where filtered=1 AND isnull(filterer) | eval hour=strftime(_time,"%H") | where hour >=7 AND hour <=19 | timechart span=1d count(eval(time_took)) as Total , count(eval(time_took<2000)) as Success, count(eval(time_took>2000)) as misses | sort by "_time" desc

Re: How to replace subsearch to achieve the same result?

peterfox1992 — Wed, 23 Mar 2022 15:27:23 GMT

Thanks @ITWhisperer , I tried but once again an error in eval.

Error in 'eval' command: Regex: quantifier does not follow a repeatable item

Re: How to replace subsearch to achieve the same result?

ITWhisperer — Wed, 23 Mar 2022 15:33:40 GMT

What exactly do you have in your eval command?

Re: How to replace subsearch to achieve the same result?

peterfox1992 — Wed, 23 Mar 2022 17:16:53 GMT

This is the exact eval command which I'm using.

eval filterer=if(match(method_name,"pqr") AND match(message,"*Response Time for pqr*"),1,null())

Re: How to replace subsearch to achieve the same result?

ITWhisperer — Wed, 23 Mar 2022 16:58:12 GMT

Remove the * from the beginning and end of the match string (as I showed in my example!)

Re: How to replace subsearch to achieve the same result?

peterfox1992 — Wed, 23 Mar 2022 17:18:06 GMT

Thanks a lot @ITWhisperer

It worked 🙂 Much Appreciate for you patience and guidance. Cheers!