Solved: Searching notable events in ES to match user field

marktechuk · ‎08-29-2019

Folks, I'm trying to match a field (user) from a search to see if any previous notable events ES have been generated for that use and output any match.

Cannot seem to get any output

Tried the below:

index=*** sourcetype=*** category="alerttype"| rex field=fieldWithUserID "(?[^:]+$)" | search [ search notable
| fields user dest
| format "(" "(" "OR" ")" "OR" ")"]

solarboyz1 · ‎08-29-2019

I think you are using the subsearch incorrectly:

The [subsearch] finds the users and uses that list as an OR seperated filter in the main search:

index=notable [ index=YOURINDEX  sourcetype=YOURSOURCETYPE category="alerttype"| rex field=fieldWithUserID "(?<user>[^:]+$)" | fields user | dedupe user ]

View solution in original post

marktechuk · ‎09-03-2019

great thanks, got it to work using your search. 5*

solarboyz1 · ‎08-29-2019

I think you are using the subsearch incorrectly:

The [subsearch] finds the users and uses that list as an OR seperated filter in the main search:

index=notable [ index=YOURINDEX  sourcetype=YOURSOURCETYPE category="alerttype"| rex field=fieldWithUserID "(?<user>[^:]+$)" | fields user | dedupe user ]

Searching notable events in ES to match user field

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

Searching notable events in ES to match user field

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA