Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Adjusting quotes from subquery using format
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adjusting quotes from subquery using format
I'd like to (1) use a subquery to extract a list of deviceId's then (2) search the same index for all events containing any of those devices returned by the subquery.
However, format puts quotes around each deviceId value only: deviceId="abc123" rather than around the equal sign: "deviceId=abc123" .
Consequently the outer search doesn't match any events, while the latter modified form does. Is there an option for format to adjust quotes accordingly? Concrete example (1)
index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format
returns a list of the form:
( ( ( deviceId="0002ac61d" OR deviceId="0003511e" ... OR deviceId="0006ecff" ) ) )
But the query/subquery combination doesn't match any events:
index=myIndex DeviceLog [search index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format]
I've also tried a subquery variation using return like this:
...| dedup DevId | return 100000 $DevId]
this almost works because it matches the deviceId values but doesn't match the key prefix deviceId= which can result in false positives (cookies caching device id's in different parts of the device log)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=myIndex DeviceLog "deviceId="
Is this the same result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa, can you be more specific as to where "deviceId=" in your answer should go? I tried it in the outer query like this index=myIndex DeviceLog "deviceId=" [search index=myIndex DeviceLog | rex ... but got zero matches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see now it works with the last variation using return statement, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to mark the answer if it helped you resolve your problem for others in the future.
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
