Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adjusting quotes from subquery using format

alancalvitti
Path Finder
‎12-11-2019 08:01 AM

I'd like to (1) use a subquery to extract a list of deviceId's then (2) search the same index for all events containing any of those devices returned by the subquery.

However, format puts quotes around each deviceId value only: deviceId="abc123" rather than around the equal sign: "deviceId=abc123" .

Consequently the outer search doesn't match any events, while the latter modified form does. Is there an option for format to adjust quotes accordingly? Concrete example (1)

index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format

returns a list of the form:

( ( ( deviceId="0002ac61d" OR deviceId="0003511e" ... OR deviceId="0006ecff" ) ) )

But the query/subquery combination doesn't match any events:

index=myIndex DeviceLog [search index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format]

I've also tried a subquery variation using return like this:

...| dedup DevId | return 100000 $DevId]

this almost works because it matches the deviceId values but doesn't match the key prefix deviceId= which can result in false positives (cookies caching device id's in different parts of the device log)

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2019 10:21 AM 
index=myIndex DeviceLog "deviceId="

Is this the same result?

Reply

alancalvitti
Path Finder
‎12-11-2019 11:40 AM

@to4kawa, can you be more specific as to where "deviceId=" in your answer should go? I tried it in the outer query like this index=myIndex DeviceLog "deviceId=" [search index=myIndex DeviceLog | rex ... but got zero matches.

0 Karma
Reply

alancalvitti
Path Finder
‎12-11-2019 12:10 PM

I see now it works with the last variation using return statement, thanks.

0 Karma
Reply

jacobpevans
Motivator
‎12-11-2019 12:35 PM

Don't forget to mark the answer if it helped you resolve your problem for others in the future.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...