I am running a nested search but does not return any data.
However, when I run the search separately it does.
The full search with no results is:
index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57"
| stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | table IP]
But my first search:
index="cisco_asa" host="192.168.5.2" dest_ip="172.16.5.57" src_ip!="208.94.147.100" src_ip="40.77.167.108"
| stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | table IP
or
index="f5-default"
I get events.
Your search assumes that the field with the IPAddress in index="f5-default"
is named IP
which evidently it is not (otherwise it would DEFINITELY work). Fix the | rename src_ip AS IP
to the correct field name.
Your search assumes that the field with the IPAddress in index="f5-default"
is named IP
which evidently it is not (otherwise it would DEFINITELY work). Fix the | rename src_ip AS IP
to the correct field name.
Does the index f5-default have a field named IP?
You could try getting your subsearch to return a plain text filter like this
index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57"
| stats count by session_id src_ip
| where count=2
| dedup src_ip
| fields src_ip
| rename src_ip as search]
Documentation here - https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Search/Changetheformatofsubsearchresults
Subsearches become literal text in their main searches. If the subsearch results in 3 IP addresses like 10.2.3.4, 10.3.4.5, 10.4.5.6
then the full search will be index="f5-default 10.2.3.4 10.3.4.5 10.4.5.6
which means all three IP addresses have to be present in an event to show up. Try this query:
index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57"
| stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | fields IP | format]
The format
command adds OR
operators between the results so you get a final search that looks like index="f5-default (IP=10.2.3.4 OR IP=10.3.4.5 OR IP=10.4.5.6)
, which should work better.