- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you would use a subsearch. The subsearch is evaluated first, and is treated as a boolean AND to your base search.
Example:
sourcetype=ps [search bash_command=kill* | fields ps]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note: the the subsearch (child search) will append PID=### to the primary (parent search) where ### is the PID digits. If the parent search does not know what the field PID is, it won't work. I made some minor tweaks to the regex. Also typesource should be "sourcetype".
sourcetype=ps [ search bash_command=kill* | rex field=bash_command "kill\s+(?<PID>\d+)" | dedup PID | fields PID ]
you could do a manual test of the primary search by hard coding the PID you are looking for as a test. If the manual test doesn't work, then the dynamic sub search won't work.
i.e.
sourcetype=ps PID="###"
Alternate search which will just search for the PID as a string instead of as a field. Might result in false positive matches.
sourcetype=ps [ search bash_command=kill* | rex field=bash_command "kill\s+(?<PID>\d+)" | dedup PID | fields PID | rename PID as search ]
More or less equivalent to a manual search of
sourcetype=ps "###"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello again,
I have this:
(sourcetype=ps) | search [search bash_command=kill* | rex field=bash_command "kill (?.+[0-9])" | dedup PID |fields PID ]
But don't work, i now i need split PID, but, i want first somo data
thanks a lot to rob_jordan and masonmorales
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked out. Could you click "Accept Answer" please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is not working well, i want to search the process was killed in typesouce ps, but i can't do it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post sample data from each source please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you would use a subsearch. The subsearch is evaluated first, and is treated as a boolean AND to your base search.
Example:
sourcetype=ps [search bash_command=kill* | fields ps]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you just have change typesource for sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sorry, I thought "typesource" was a field extraction that you had. If your sourcetype is called "ps" then it is "sourcetype=ps [search bash_command=kill* | fields ps]"
My apologies for any confusion that may have caused.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this post may help you.
