I have a subsearch, and am trying to use the value of a field I extracted in an inner search, to check if that value exists anywhere in _raw for the results of my outer search.
Current search:
index=my_index
| append
[ searchindex=my_index "RecievedFileID"
| rex field=_raw "RecievedFileID\s(?<file_id>\w*)"
| fields file_id ]
| search file_id
I can confirm the regex is working, but cant figure out how to check _raw for any presence of the value of file_id. The logic I'm looking for on the last line is essentially
| where _raw contains the value of file_id
Any assistance is appreciated.
https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults
Having said that - are you aware what is the difference between
search ABC
and
search _raw=*ABC*
Thanks, I'm working on trying format command. I can confirm that I get file_id back, but cannot figure out how to search the raw events for the values of that field.
I can run | search ABC or | search _raw=*ABC* and get the correct results in my case, because of how it is logged. But what if ABC is a field value, say in a field called letters? How can I search _raw = values(letters) or _raw = 'letters'?
I asked if you know the difference. The results might be the same but performance is vastly different.
With field contents you simply search for "field=value" as long as this value is extracted.
Yes, I know the difference.
The problem lies in that the field can only be extracted from the first event in the source, because the first event always has the same predictable format
Subsequent events in the same source have the same field value present, but each in a unpredictable location and unpredictable number of events.
So I cannot use a single field extraction to grab it everywhere, and hence why I have to extract it from the first event, and then search _raw if the value of that first extracted field exists anywhere in the rest of the events.
Without knowing your data we can't really offer any reasonable advice but I suspect that it could just be resolved by proper data onboarding. (unless your events are really _completely_ unstructured).