How do you get around the subsearch limitation whe...

splunk_svc · ‎03-12-2017

Hi Splunkers.

I am retrieving a field from JSON log file using rex, table and spath.
Although this runs fine as a standard query, I'm not be able to turn this into an eventtype due to the restriction on subsearches when defining an event type's query.

Here's my query:
index=my_index "lane" |rex "^(?:[^ \n]* ){7}(?P.+)"|table my_data|spath input=my_data | fields lane

I am trying to create an event type of "lane" from this but of course cannot due to the subquery limitation.
I'm sure there is a way around this limitation but I've not been able to find it.
Don't seem to have found anything similar post on here either.

How does one get the output of this into an eventtype??

Thanks.

woodcock · ‎03-13-2017

The problem is the pipes, not eventtypes. But let's back up. Why do you think you need an eventtype? What is your overall end goal?

woodcock · ‎03-13-2017

The problem is the pipes, not eventtypes.

lguinn2 · ‎03-12-2017

The rules for an eventtype actually says

You cannot base an event type on a search that:

Includes a pipe operator after a simple search.
Includes a subsearch.

So you will need to remove ALL of the commands after the base search. First, the table and fields commands are adding nothing to your eventtype and can simply be deleted. The field extractions performed by the rex and spath commands should be coded into props.conf for the sourcetype. You will find some information about how to do this if you read the documentation for the spath and rex commands. Here is another list of references for field extraction.

Finally, why do you need an eventtype? Perhaps a macro would serve you better, as it does not have these restrictions.

splunk_svc · ‎03-12-2017

BTW, using Splunk v6.2.6

How do you get around the subsearch limitation when defining events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!