Hello, I am looking to create a Boolean logic validation checker for a match. I am attempting to use makeresults in a sub search to create a field with a string I am looking for. Then I am using search to attempt to look for the newly created event but it doesn’t seem to be working.
“
index= test
[|makeresults count=1
| eval index=test
| eval command=“ping 8.8.8.8”
| table command]
| search ping AND 8
”
I'm not sure what you're trying to achieve.
After your subsearch runs and its results are substituted into the outer search you'll get
index=test command="ping 8.8.8.8" | search ping AND 8
I am not sure what this has to do with Boolean logic.
Are you searching for a field called command with the value "ping 8.8.8.8" or are you looking for the string "ping 8.8.8.8" in your events?
If ping AND 8 is valid Boolean, it would hit on ping 8.8.8.8.
"ping AND 8" is a valid Boolean expression and should "hit" on "ping 8.8.8.8"
Do you have examples where this doesn't work?
This example is valid. I am looking for a way to use splunk to make a Splunk log using makeresults to return the command of the Boolean is valid. So this is more of a “how do I search a makeresults event” using Boolean
I don't understand what you mean by “how do I search a makeresults event” - your search with a Boolean is being applied to the events returned from index=test which have been filtered by command="ping 8.8.8.8"
If you have events which you have created using makeresults, you can search them in the same way. The search command, as with any command, applies to the event pipeline, without knowledge of how the events in the pipeline were created
| makeresults
| fields - _time
| eval _raw="blah blah ping 8.8.8.8 blah blah"
| eval command="ping 8.8.8.8"
| search
[| makeresults
| eval command="ping 8.8.8.8"
| table command]
| search ping AND 8