Re: How do you return multiple fields from a subse...

yepyepyayyooo · ‎03-01-2019

I'm 99% there guys. The query works fine. Soliciting assistance getting me to the end zone. Would like to also include v_user_name in the main search results table. How would one achieve this...

index="bro" sourcetype="bro_http" dest_ipi_zone="EXT" user_agent="*Mozilla*"
    [search index="sep" sourcetype="sep:server_client_log" [| inputlookup watcher_list | fields v_user_name ]
    | stats count values(dest_ip) as dest_ip by v_user_name
    | fields dest_ip
    | rename dest_ip as id.orig_h
    | format ]
| table _time id.orig_h id.resp_h id.resp_p method domain uri post_body

jeffbat · ‎03-01-2019

You need to add v_user_name to line 4 as well as to the table line in 7.

In line 4 you are saying what fields to keep going forward and all you are bringing back from the subsearch is dest_ip

yepyepyayyooo · ‎03-04-2019

Unfortunately, adding v_user_name as an additional field in line 4 causes the query to return zero results. Also attempted adding via line 3 and output as a different name, yielded same results.

damann · ‎03-01-2019

have you tried to add v_user_nameto your table in line 7?
... | table _time id.orig_h id.resp_h id.resp_p method domain uri post_body v_user_name

yepyepyayyooo · ‎03-01-2019

Yes, I've tried adding the value to the table in the main search. The results are blank. The value isn't being fed to the main search.

How do you return multiple fields from a subsearch to a main search?

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability