Splunk Search

How to create a subsearch with multiple results?

trucall
New Member

Hi,

I've a question about sub search, I'm probably misunderstanding docs and other posts.

This is my search:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)"| rename objectId as search  ] stringFilter

The subsearch, executed as a normal search, produce many results, so many objectId.

My expectations is that the final search is like this below:

index=MyIndex (objectId-1 OR objectId-2 OR objectId-3)  stringFilter

The behavior is different, only one objectId is used to search and the final search is similar to this:

index=MyIndex (objectId-1)  stringFilter

I don't understand why and what I need to change in order to process all objects of subsearch resultset.

Thanks for any kind help

Marcello

0 Karma

woodcock
Esteemed Legend

Yo mcfly, @trucall, we've got answers for you, did anything work?

0 Karma

woodcock
Esteemed Legend

You are taking over too much control and doing it all wrong. Start with this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g"

See what this produces and then switch to this:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g" ] stringFilter
0 Karma

FrankVl
Ultra Champion

Using format will result in the subsearch returning something like (objectId="123" OR objectId="456"), which wont work given that objectId apparently is not an extracted field. He wants the subsearch to only return the values, to then work as a string filter.

woodcock
Esteemed Legend

Ah, based on this clarification, I have modified my original answer above.

FrankVl
Ultra Champion

I trust you meant | rex field=search mode=sed "s/objectId=//g" 🙂

woodcock
Esteemed Legend

ARGH! Yes, you are right (I edited and fixed that, too). I was using a run-anywhere search to test but forgot to convert that part when I posted the answer. Thank you for grading my papers.

FrankVl
Ultra Champion

Probably because your subsearch does not have any transforming commands. I think the following should work:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?<objectId>[A-Z0-9]+)"| stats values(objectId) as search | eval search = mvjoin(search," OR ") ] stringFilter

Note: if you make sure objectId is properly extracted (so you don't need rex for it), you can simply do:

index=MyIndex [ search index=MyIndex host=as-x | fields objectId | dedup objectId | format ] stringFilter
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...