Splunk Search

How can I use a subsearch as fields in my report?

qtopia7100
Explorer

This is the search I'm working with:

index="*-network" (sourcetype="cisco:asa" OR sourcetype="routers") user="user*" ("session terminated" OR "session started") | table _time, user, src_ip

I want a field that has "session terminated" OR "session started" based on which value is in the log.

0 Karma

gokadroid
Motivator

Please try this:

index="*-network" (sourcetype="cisco:asa" OR sourcetype="routers") user="user*" ("session terminated" OR "session started") 
| rex field=_raw ".*(?<sessionState>(session\s*(terminated|started))).*"
| table _time, user, src_ip, sessionState

See the extraction here

If you want to make it case insensitive like the search bar will do try (?i) in rex :

...| rex field=_raw ".*(?<sessionState>(?i)(session\s*(terminated|started))).*"| ...
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...