Subsearch not Working

Makinde — Thu, 21 Jul 2016 21:01:38 GMT

I believe I fully understand the concept of subsearches and have used it a few times perfectly, however, I can't get it to work in this instance.

Below is my search string;

index=main sourcetype="linux:audit" [ search index=main sourcetype="linux:audit" key=CFG_Oracle | return msg ]

The idea here is to search index=main and sourcetype=linux:audit, for any event with key=CFG_oracle, then for those events return the values of the msg field after which the msg values should be searched in index=main and sourcetype=linux:audit and return those events.

However when I run this search, I get all events with keys other than CFG_Oracle, however when I tun the sub-search on it's own I get the desired result, I am not sure why this isn't working properly as a sub-search.

Any ideas?

Re: Subsearch not Working

somesoni2 — Thu, 21 Jul 2016 21:10:28 GMT

Try like this

index=main sourcetype="linux:audit" [ search index=main sourcetype="linux:audit" key=CFG_Oracle | stats count by msg | table msg]

Re: Subsearch not Working

Makinde — Thu, 21 Jul 2016 21:15:58 GMT

Thanks Somesoni2

topic Re: Subsearch not Working in Splunk Search

Subsearch not Working

Re: Subsearch not Working

Re: Subsearch not Working