Splunk Enterprise

How to use a field value to search _raw?

brentrmc
Explorer

I have a subsearch, and am trying to use the value of a field I extracted in an inner search, to check if that value exists anywhere in _raw for the results of my outer search.

Current search:

index=my_index 
| append 
    [ searchindex=my_index  "RecievedFileID"
    | rex field=_raw  "RecievedFileID\s(?<file_id>\w*)" 
    | fields file_id ] 
| search file_id

 

I can confirm the regex is working, but cant figure out how to check _raw for any presence of the value of file_id. The logic I'm looking for on the last line is essentially

| where _raw contains the value of file_id

 

Any assistance is appreciated.

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults

Having said that - are you aware what is the difference between

search ABC

and

search _raw=*ABC*
0 Karma

brentrmc
Explorer

Thanks, I'm working on trying format command. I can confirm that I get file_id back, but cannot figure out how to search the raw events for the values of that field.

I can run | search ABC or | search _raw=*ABC* and get the correct results in my case, because of how it is logged.  But what if ABC is a field value, say in a field called letters? How can I search _raw = values(letters) or  _raw = 'letters'

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I asked if you know the difference. The results might be the same but performance is vastly different.

With field contents you simply search for "field=value" as long as this value is extracted.

0 Karma

brentrmc
Explorer

Yes, I know the difference.

The problem lies in that the field can only be extracted from the first event in the source, because the first event always has the same predictable format

Subsequent events in the same source have the same field value present, but each in a unpredictable location and unpredictable number of events.

So I cannot use a single field extraction to grab it everywhere, and hence why I have to extract it from the first event, and then search _raw if the value of that first extracted field exists anywhere in the rest of the events.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Without knowing your data we can't really offer any reasonable advice but I suspect that it could just be resolved by proper data onboarding. (unless your events are really _completely_ unstructured).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...