Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adjusting quotes from subquery using format

alancalvitti
Path Finder
‎12-11-2019 08:01 AM

I'd like to (1) use a subquery to extract a list of deviceId's then (2) search the same index for all events containing any of those devices returned by the subquery.

However, format puts quotes around each deviceId value only: deviceId="abc123" rather than around the equal sign: "deviceId=abc123" .

Consequently the outer search doesn't match any events, while the latter modified form does. Is there an option for format to adjust quotes accordingly? Concrete example (1)

index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format

returns a list of the form:

( ( ( deviceId="0002ac61d" OR deviceId="0003511e" ... OR deviceId="0006ecff" ) ) )

But the query/subquery combination doesn't match any events:

index=myIndex DeviceLog [search index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format]

I've also tried a subquery variation using return like this:

...| dedup DevId | return 100000 $DevId]

this almost works because it matches the deviceId values but doesn't match the key prefix deviceId= which can result in false positives (cookies caching device id's in different parts of the device log)

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2019 10:21 AM 
index=myIndex DeviceLog "deviceId="

Is this the same result?

Reply

alancalvitti
Path Finder
‎12-11-2019 11:40 AM

@to4kawa, can you be more specific as to where "deviceId=" in your answer should go? I tried it in the outer query like this index=myIndex DeviceLog "deviceId=" [search index=myIndex DeviceLog | rex ... but got zero matches.

0 Karma
Reply

alancalvitti
Path Finder
‎12-11-2019 12:10 PM

I see now it works with the last variation using return statement, thanks.

0 Karma
Reply

jacobpevans
Motivator
‎12-11-2019 12:35 PM

Don't forget to mark the answer if it helped you resolve your problem for others in the future.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...