How do you return multiple fields from a subsearch...

yepyepyayyooo · ‎03-01-2019

I'm 99% there guys. The query works fine. Soliciting assistance getting me to the end zone. Would like to also include v_user_name in the main search results table. How would one achieve this...

index="bro" sourcetype="bro_http" dest_ipi_zone="EXT" user_agent="*Mozilla*"
    [search index="sep" sourcetype="sep:server_client_log" [| inputlookup watcher_list | fields v_user_name ]
    | stats count values(dest_ip) as dest_ip by v_user_name
    | fields dest_ip
    | rename dest_ip as id.orig_h
    | format ]
| table _time id.orig_h id.resp_h id.resp_p method domain uri post_body

jeffbat · ‎03-01-2019

You need to add v_user_name to line 4 as well as to the table line in 7.

In line 4 you are saying what fields to keep going forward and all you are bringing back from the subsearch is dest_ip

yepyepyayyooo · ‎03-04-2019

Unfortunately, adding v_user_name as an additional field in line 4 causes the query to return zero results. Also attempted adding via line 3 and output as a different name, yielded same results.

damann · ‎03-01-2019

have you tried to add v_user_nameto your table in line 7?
... | table _time id.orig_h id.resp_h id.resp_p method domain uri post_body v_user_name

yepyepyayyooo · ‎03-01-2019

Yes, I've tried adding the value to the table in the main search. The results are blank. The value isn't being fed to the main search.

How do you return multiple fields from a subsearch to a main search?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform