Hello,
Need some help here.
The goal is to pass one IP_Address found in inner search to outer search. IP is correctly extracted, but I'm getting following error from "where" command and clueless at this point.
Here's the error: Error in 'where' command: The operator at '10.132.195.72' is invalid.
And here's the search:
index=ipam sourcetype=data earliest=-48h latest=now()
| where cidrmatch(name, IP_Address)
[ search index=networksessions sourcetype=microsoft:dhcp (Description=Renew OR Description=Assign OR Description=Conflict) earliest=-15min latest=now()
| head 1
| return ($IP_Address) ]
Thank you, but no go here, unfortunately. appendcols has to be used after stats, timechart or chart(error generated by Splunk).
Try adding stats count by _raw?
nope, error of course is gone, but no results from search and when running both searches separately, while manually passing results from inner to outer, I do get results.
Try stats values(*) as * values(_*) as _* by _raw
This worked! Thank you.
Now questions:
Would appreciate some insight on these 2 questions.
Best regards, Pavel.
| where cidrmatch(name,IP_Address) 10.132.195.72
which is what the error message was saying was wrong. Perhaps
| where cidrmatch(name, [innser search | return ($IP_Address)] )
might have worked but I haven't seen this syntax used before.
Try something like this
index=ipam sourcetype=data earliest=-48h latest=now()
| appendcols
[ search index=networksessions sourcetype=microsoft:dhcp (Description=Renew OR Description=Assign OR Description=Conflict) earliest=-15min latest=now()
| head 1
| table IP_Address ]
| filldown IP_Address
| where cidrmatch(name, IP_Address)