Splunk Search

Fields Search Issue

Phynyte
New Member

what does the syntax look like so I can pull Multiple fields from a subsearch to an outer search?

index=security "An account was successfully logged on." [search index=randomlogs host=employeetermlist20140311 | rex "(?i)^(?:[^,]*,){2}(?P<ADAcctName>[^,]+)" | rex "(?i) .*?,(?P<TermDate>\\d+/\\d+/\\d+)(?=,)" | rename ADAcctName AS Account_Name | table Account_Name TermDate | fields Account_Name TermDate] | eval NewAccount_Name=mvindex(Account_Name, 1) | stats max(_time) by NewAccount_Name | rename max(_time) AS Last_Login | eval Last_Successful_Login=strftime(Last_Login, "%m/%d/%Y") | table NewAccount_Name TermDate Last_Successful_Login

My search works just find without TermDate and I figured out that the problem is with my fields

I tried listed them multiple different ways but it never pulls TermDate out with my Account_Name?

I know it's something easy just not sure what.

Tags (1)
0 Karma

Phynyte
New Member

No term date only exists within the randomlogs search. I just want to pull that field out of the inner search and any account name returned I wanted to match the term date in a table beside it

0 Karma

somesoni2
Revered Legend

Do the index=security have field named TermDate?

0 Karma

Phynyte
New Member

Yes the inner search works just fine if executed by itself

0 Karma

Phynyte
New Member

Yes it does

0 Karma

antlefebvre
Communicator

Check to make sure your extractions are the same case as what you are trying to list. TermDate is not the same as termdate.

0 Karma

antlefebvre
Communicator

I'm guessing your full search is pulling the Account_Name from the security index. Not the randomlogs index. In that case your not actually getting a event matches with the termdate.

0 Karma

Phynyte
New Member

I updated the search and it's still not working.

index=security "An account was successfully logged on." [search index=randomlogs host=employeetermlist20140311 | rex "(?i)^(?:[^,],){2}(?P[^,]+)" | rex "(?i) .?,(?P\d+/\d+/\d+)(?=,)" | rename ADAcctName AS Account_Name | table Account_Name termdate | fields Account_Name, termdate] | eval NewAccount_Name=mvindex(Account_Name, 1) | stats max(_time) by NewAccount_Name | rename max(_time) AS Last_Login | eval Last_Successful_Login=strftime(Last_Login, "%m/%d/%Y") | table NewAccount_Name termdate Last_Successful_Login

0 Karma
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...