Splunk Search

How do you get around the subsearch limitation when defining events?

splunk_svc
Path Finder

Hi Splunkers.

I am retrieving a field from JSON log file using rex, table and spath.
Although this runs fine as a standard query, I'm not be able to turn this into an eventtype due to the restriction on subsearches when defining an event type's query.

Here's my query:
index=my_index "lane" |rex "^(?:[^ \n]* ){7}(?P.+)"|table my_data|spath input=my_data | fields lane

I am trying to create an event type of "lane" from this but of course cannot due to the subquery limitation.
I'm sure there is a way around this limitation but I've not been able to find it.
Don't seem to have found anything similar post on here either.

How does one get the output of this into an eventtype??

Thanks.

Tags (1)
0 Karma

woodcock
Esteemed Legend

The problem is the pipes, not eventtypes. But let's back up. Why do you think you need an eventtype? What is your overall end goal?

0 Karma

woodcock
Esteemed Legend

The problem is the pipes, not eventtypes.

0 Karma

lguinn2
Legend

The rules for an eventtype actually says

You cannot base an event type on a search that:

  • Includes a pipe operator after a simple search.
  • Includes a subsearch.

So you will need to remove ALL of the commands after the base search. First, the table and fields commands are adding nothing to your eventtype and can simply be deleted. The field extractions performed by the rex and spath commands should be coded into props.conf for the sourcetype. You will find some information about how to do this if you read the documentation for the spath and rex commands. Here is another list of references for field extraction.

Finally, why do you need an eventtype? Perhaps a macro would serve you better, as it does not have these restrictions.

0 Karma

splunk_svc
Path Finder

BTW, using Splunk v6.2.6

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...